MSRT March 2014 – Wysotot

This month the Microsoft Malicious Software Removal Tool (MSRT) will include the Win32/Wysotot and MSIL/Spacekito families. Below we discuss the history and common behaviors of the Win32/Wysotot family of malware.

We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then.


Figure 1: Wysotot detections

Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot variants.


Figure 2: Programs that we have seen bundle Win32/Wysotot variants

Win32/Wysotot can change the start page for common web browsers. The malware executes its payload in two ways:

  1. Modifying the following registry entry:
    HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand = “”C:Program FilesInternet Exploreriexplore.exe” hxxp://<some text>&ts=<some timestamp>“
  2. Modifying .LNK files that point to popular browsers (Internet Explorer, Firefox, Chrome and Opera). Win32/Wysotot modifies the .LNK files by searching for browser .LNKs  harvested in one of two ways:
  • It determines the location for Programs in the Start MenuDESCRIPTION
  • A hardcoded path to the Quick Launch folderDESCRIPTION

Through the folders mentioned above, Win32/Wysotot will search for all .LNK files and then check if each one is related to a web browser that it targets. If it finds a match it then modifies the .LNK file directly.

In our testing, the modified browser start pages commonly point to one of the following domains:


Figure 3 shows a sample screen shot of the modified .LNK file.

DESCRIPTIONFigure 3: The modified .LNK file

There is more detailed information about this family in the Win32/Wysotot description. The best protection from this and other threats is to run a real-time, up-to-date security product, such as Microsoft Security Essentials.

Edgardo Diaz



Comments (3)

  1. Audrey Ebert says:

    I like this

  2. amirreza says:

    Thank you as microsoft

  3. mike says:

    Nice but not exactly correct aritcle. I found this Wysotot-D on 3 of my laptops recently. (June 2014) and MS Security Essencials was running on all three and that DID NOT find the threat! I found the threat by running Avast Free Boot-time scan. This scan
    also found two Malware gens that MS software did not detect! I suspect that the Mal Gens are associated with Wysotot-D. Do not rely on MS antibug ware for protection! Get a real shield. Bill Gates should be ashamed of misleading folks.