Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Wysotot.C
Date discovered:16/11/2013
Type:Trojan
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.11.113.236 - Saturday, November 16, 2013
IVDF version:7.11.113.236 - Saturday, November 16, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: exqWebSearch
   •  Mcafee: RDN/Generic PUP.x!bmc
   •  Kaspersky: Trojan.Win32.Staser.tgg
   •  TrendMicro: TROJ_GEN.R0CBC0EKG13
   •  F-Secure: Gen:Variant.Kazy.291984
   •  Sophos: Mal/Generic-S
   •  Bitdefender: Gen:Variant.Kazy.291984
     Avast: Win32:Malware-gen
     Microsoft: Trojan:Win32/Wysotot.C
     AVG: Win32/DH{AB41DCcofl0gIiU}
   •  Panda: Suspicious file
   •  Eset: Win32/ELEX.M
     GData: Gen:Variant.Kazy.291984
     Fortinet: Riskware/PUP_x
     Ikarus: Trojan.Win32.Staser


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

 Files It copies itself to the following location:
   • %allusersprofile%\Application Data\eSafe\eGdpSvc.exe



The following file is created:

Non malicious file:
   • %allusersprofile%\Application Data\eSafe\log\eGdpSvc.LOG

 Registry The following registry keys are added:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   WsysControl]
   • "DisplayName"="Wsys Control 15.2.1.2652"
   • "DisplayVersion"="15.2.1.2652"
   • "publisher"="Wsys Co., Ltd."
   • "UninstallString"="%allusersprofile%\\Application Data\\eSafe\\eGdpSvc.exe -unsvc"
   • "DisplayIcon"="%allusersprofile%\\Application Data\\eSafe\\eGdpSvc.exe"

[HKLM\SOFTWARE\eSafeSecControl]
   • "sid"="eGdp"
   • "channel"="eGdp"
   • "pid"="eSafe"
   • "ver"="15.2.1.2652"

[HKLM\SYSTEM\ControlSet001\Services\WsysSvc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%allusersprofile%\\Application Data\\eSafe\\eGdpSvc.exe"
   • "DisplayName"="Wsys Service"
   • "Group"="SchedulerGroup"
   • "ObjectName"="LocalSystem"
   • "Description"="Wsys update service"

[HKLM\SYSTEM\ControlSet001\Services\WsysSvc\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,...[168 bytes]

[HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\
   WsysSvc]
[HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\WsysSvc]
   • "EventMessageFile"="%allusersprofile%"
   • "TypesSupported"=dword:00000007

[HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application]
   • "Sources"="WsysSvc;WSH;WMIAdapter;WMI.NET Provider Extension;WmdmPmSN;WinMgmt;Winlogon;Windows Product Activation;Windows 3.1 Migration;WebClient;VSSetup;VSS;VBRuntime;Userinit;Userenv;UploadM;Tlntsvr;System.ServiceModel.Install 3.0.0.0;System.ServiceModel 4.0.0.0;System.ServiceModel 3.0.0.0;System.Runtime.Serialization 4.0.0.0;System.Runtime.Serialization 3.0.0.0;System.IO.Log 4.0.0.0;System.IO.Log 3.0.0.0;System.IdentityModel 4.0.0.0;System.IdentityModel 3.0.0.0;SysmonLog;SpoolerCtrs;Software Restriction Policies;Software Installation;ServiceModel Audit 4.0.0.0;ServiceModel Audit 3.0.0.0;SecurityCenter;SclgNtfy;SceSrv;SceCli;safrslv;SAFrdms;Remote Assistance;PerfProc;PerfOS;PerfNet;Perfmon;Perflib;PerfDisk;Perfctrs;Offline Files;Oakley;ntbackup;MSSQLSERVER/MSDE;MsiInstaller;MSDTC Client;MSDTC;mnmsrvc;Microsoft.Transactions.Bridge 4.0.0.0;Microsoft.Transactions.Bridge 3.0.0.0;Microsoft H.323 Telephony Service Provider;Microsoft (R) Visual C
   • 2005 Compiler;LoadPerf;HelpSvc;Folder Redirection;File Deployment;EventSystem;ESENT;EAPOL;DrWatson;DiskQuota;crypt32;COM+;COM;Ci;Chkdsk;CardSpace 4.0.0.0;CardSpace 3.0.0.0;AutoEnrollment;Autochk;ASP.NET 4.0.30319.0;ASP.NET 2.0.50727.0;ASP.NET 1.1.4322.0;Application Management;Application Hang;Application Error;apphelp;.NET Runtime Optimization Service;.NET Runtime 4.0 Error Reporting;.NET Runtime 2.0 Error Reporting;.NET Runtime;Application;"

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSYSSVC]
   • "NextInstance"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSYSSVC\0000]
   • "Service"="WsysSvc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Wsys Service"

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSYSSVC\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="WsysSvc"

[HKLM\SYSTEM\ControlSet001\Services\WsysSvc\Enum]
   • "0"="Root\\LEGACY_WSYSSVC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   • @=dword:0000000a

[HKLM\SOFTWARE\eSafeSecControl]
   • "sid"="eGdp"
   • "ver"="15.2.1.2652"



The following registry keys are changed:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
   Explorer\Shell Folders]
   New value:
   • "Cache"="C:\Documents and Settings\\LocalService\\Local Settings\\Temporary Internet Files"
   • "Cookies"="C:\Documents and Settings\\LocalService\\Cookies"
   • "History"="C:\Documents and Settings\\LocalService\\Local Settings\\History"
   • "AppData"="c:\windows\\system32\\config\\systemprofile\\Application Data"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • xa.xi**********ud.com/v4/so**********update2=la**********=ref1,eGdp
   • xa.xi**********ud.com/v4/so**********ate2=langu**********f1,eGdp
   • up.so**********65.com/gdp/sof**********00000001

Description inserted by Soe-liang Tan on Monday, November 18, 2013
Description updated by Soe-liang Tan on Monday, November 18, 2013

Back . . . .