This month the Microsoft Malicious Software Removal Tool (MSRT) will include the Win32/Wysotot and MSIL/Spacekito families. Below we discuss the history and common behaviors of the Win32/Wysotot family of malware.
We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then.
Figure 1: Wysotot detections
Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot variants.
Figure 2: Programs that we have seen bundle Win32/Wysotot variants
Win32/Wysotot can change the start page for common web browsers. The malware executes its payload in two ways:
- Modifying the following registry entry:
HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand = ""C:Program FilesInternet Exploreriexplore.exe" hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>“
- Modifying .LNK files that point to popular browsers (Internet Explorer, Firefox, Chrome and Opera). Win32/Wysotot modifies the .LNK files by searching for browser .LNKs harvested in one of two ways:
- It determines the location for Programs in the Start Menu
- A hardcoded path to the Quick Launch folder
Through the folders mentioned above, Win32/Wysotot will search for all .LNK files and then check if each one is related to a web browser that it targets. If it finds a match it then modifies the .LNK file directly.
In our testing, the modified browser start pages commonly point to one of the following domains:
Figure 3 shows a sample screen shot of the modified .LNK file.
Figure 3: The modified .LNK file
There is more detailed information about this family in the Win32/Wysotot description. The best protection from this and other threats is to run a real-time, up-to-date security product, such as Microsoft Security Essentials.