FANDOM


Installation

Trojan:Win32/Wysotot.gen!A is usually installed on the user's PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot.gen!A is shown below: When the installer is launched, it creates a folder in %ProgramFiles% directory and drops a file there, for example %ProgramFiles%\v9Soft\v9kb.exe.

It also drops and launches a DLL in the %TEMP% directory, for example %TEMP%\v9Loader.dll, and installs it as a browser helper object. Payload

Changes browser settings

Trojan:Win32/Wysotot.gen!A makes changes to the settings of the following web browsers: • Chrome • Firefox • Internet Explorer • Opera

It changes the start page so that when the browser is launched it opens a website on the v9.com domain. It can do this via the registry, for instance it makes the following modifications for Internet Explorer:

In subkey: HCKU\Software\Microsoft\Internet Explorer\Main Sets value: "Start Page" With data: http://www.v9.com/<removed>b&utm_medium=kb

In subkey: HCKU\Software\Microsoft\Internet Explorer\Main Sets value: "Default_Page_URL" With data: http://www.v9.com/<removed>b&utm_medium=kb

Trojan:Win32/Wysotot.gen!A also modifies the default search provider to www.v9.com as shown below: Symptoms


The following could indicate that the user have this threat on the user's PC: •the user's web browser start page and default search provider have been changed to www.v9.com

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.