Trojan:Win32/Wysotot.gen!A is usually installed on the user's PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot.gen!A is shown below: When the installer is launched, it creates a folder in %ProgramFiles% directory and drops a file there, for example %ProgramFiles%\v9Soft\v9kb.exe.

It also drops and launches a DLL in the %TEMP% directory, for example %TEMP%\v9Loader.dll, and installs it as a browser helper object. Payload

Changes browser settings

Trojan:Win32/Wysotot.gen!A makes changes to the settings of the following web browsers: • Chrome • Firefox • Internet Explorer • Opera

It changes the start page so that when the browser is launched it opens a website on the domain. It can do this via the registry, for instance it makes the following modifications for Internet Explorer:

In subkey: HCKU\Software\Microsoft\Internet Explorer\Main Sets value: "Start Page" With data:<removed>b&utm_medium=kb

In subkey: HCKU\Software\Microsoft\Internet Explorer\Main Sets value: "Default_Page_URL" With data:<removed>b&utm_medium=kb

Trojan:Win32/Wysotot.gen!A also modifies the default search provider to as shown below: Symptoms

The following could indicate that the user have this threat on the user's PC: •the user's web browser start page and default search provider have been changed to

