MSRT December 2014


This month is our final release of the Malicious Software Removal Tool (MSRT) for 2014.

Although we didn’t add any new malware families, we updated the tool with the latest detection and remediation capabilities for the malware families added in previous releases.

Since January 2014, there have been more than seven billion successful MSRT installs via Microsoft Windows Update. This is an average of 500 million installs every month. The MSRT detected and successfully removed malware on more than 5.6 million machines.

We choose the families we add to the MSRT using several criteria, but one of the common reasons is a family’s prevalence in the ecosystem. Looking at our data from the past year, there are a few families that stand out:

  • Win32/Jenxcus
  • In February, we added Win32/Jenxcus, a worm coded in VBScript that is capable of propagating via removable drives. Since adding this family, the MSRT detected this family on more than 719,000 machines.
  • Early in the year, based on data collected from Microsoft antimalware products being used worldwide, we saw Jenxcus encounters on more than 1.8 million machines a month. As the year went on there was some decline, with just over 1.1 million encounters during November.
  • Win32/Wysotot
  • We added Win32/Wysotot in March. This trojan family is usually installed by software bundlers that advertise free software or games. The MSRT has since detected this family on more than 225,000 machines.
  • In October 2013, our real-time protection products reported more than 2.8 million Wysotot encounters. By February 2014, encounters had decreased to 1.08 million, and have continued to decrease during the rest of 2014. Last month just over 157,000 Wysotot encounters were reported.
  • Win32/Hikiti
  • Another highlight occurred in October, when the MSRT participated in a Coordinated Malware Eradication (CME) initiative. Win32/Hikiti was added to the tool along with several related malware families.
  • The October release was a great opportunity for the MSRT to take part in a successful campaign and work with many industry partners to provide the necessary remediation coverage.

Reviewing our data throughout the year helps us determine the impact of our detection and remediation efforts. The MSRT helps provide additional protection to the majority of Windows machines, especially for customers who do not have any type of antimalware protection installed. It’s not a replacement for a real-time antimalware solution, such as Microsoft Security Essentials, however, by analyzing our telemetry we can do our best to provide coverage for the most prevalent threats.

We are continuing to monitor threats and look forward to our first monthly MSRT release for 2015.

Adrienne Wu
MMPC


Comments (4)

  1. adwbust says:

    Yes, been seeing Win32/Jenxcus a lot. Before it was either gamarue or conficker. In your Jenxcus description, it doesn't say worm is also dropped in My Documents path. In one instance, after inserting usb, Win32/Jenxcus bypassed MSE guard. MSE only detected
    Win32/Jenxcus when I scanned My Documents. Do you think worm used My Documents as temp folder prior to installing itself on system restart? MSE guard doesn't scan file (ie: vbs) drops/writes to My Documents path?

  2. Andy says:

    I've been reporting malware samples for MSE* (these are confirmed malware, with 60% to 70% detection rates as seen in Virustotal) but the samples remain uninspected even after several months. Is there any point of reporting suspicious samples to Microsft?

    * https://www.microsoft.com/security/portal/submission/submit.aspx

  3. adwbust says:

    did you submit while signed in? but yeah mmpc needs to fix their system. lots of submission ignored and not updated. if a submission was submitted before and analyzed, it should be reflected as such ala avira's submission system. after submission it should
    list content of archive and beside each a hash and status/determination.

  4. Andy says:

    I've tried both — anonymous submissions and submissions when signed in. I agree with your observations — Avira system is pretty neat. Heck, even McAfee's email responses are better.

Skip to main content