Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This month the Microsoft Malicious Software Removal Tool (MSRT) will include the Win32/Wysotot and MSIL/Spacekito families. Below we discuss the history and common behaviors of the Win32/Wysotot family of malware.
We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then.
Figure 1: Wysotot detections
Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot variants.
Figure 2: Programs that we have seen bundle Win32/Wysotot variants
Win32/Wysotot can change the start page for common web browsers. The malware executes its payload in two ways:
Through the folders mentioned above, Win32/Wysotot will search for all .LNK files and then check if each one is related to a web browser that it targets. If it finds a match it then modifies the .LNK file directly.
In our testing, the modified browser start pages commonly point to one of the following domains:
Figure 3 shows a sample screen shot of the modified .LNK file.
Figure 3: The modified .LNK file
There is more detailed information about this family in the Win32/Wysotot description. The best protection from this and other threats is to run a real-time, up-to-date security product, such as Microsoft Security Essentials.