This month the Microsoft Malicious Software Removal Tool (MSRT) will include the Win32/Wysotot and MSIL/Spacekito families. Below we discuss the history and common behaviors of the Win32/Wysotot family of malware.

We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then. 

DESCRIPTION 

Figure 1: Wysotot detections

Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot variants.

DESCRIPTION 

Figure 2: Programs that we have seen bundle Win32/Wysotot variants

Win32/Wysotot can change the start page for common web browsers. The malware executes its payload in two ways:

  1. Modifying the following registry entry:
    HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command = ""C:\Program Files\Internet Explorer\iexplore.exe" hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>“
  2. Modifying .LNK files that point to popular browsers (Internet Explorer, Firefox, Chrome and Opera). Win32/Wysotot modifies the .LNK files by searching for browser .LNKs  harvested in one of two ways:
  • It determines the location for Programs in the Start Menu

    DESCRIPTION 

  • A hardcoded path to the Quick Launch folder

    DESCRIPTION 

Through the folders mentioned above, Win32/Wysotot will search for all .LNK files and then check if each one is related to a web browser that it targets. If it finds a match it then modifies the .LNK file directly.

In our testing, the modified browser start pages commonly point to one of the following domains:

  • delta-homes.com
  • onmylike.com
  • v9.com
  • v9tr.com
  • 22find.com

Figure 3 shows a sample screen shot of the modified .LNK file.


DESCRIPTIONFigure 3: The modified .LNK file

There is more detailed information about this family in the Win32/Wysotot description. The best protection from this and other threats is to run a real-time, up-to-date security product, such as Microsoft Security Essentials.

Edgardo Diaz

MMPC