MSRT February 2017: Chuckenit detection completes MSRT solution for one malware suite


In September 2016, we started adding to Microsoft Malicious Software Removal Tool (MSRT) a malware suite of browser modifiers and other Trojans installed by software bundlers. We documented how the malware in this group install other malware or applications silently, without your consent. This behavior ticks boxes in the evaluation criteria that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. Installing software without your permission, interaction, or consent is considered unwanted behavior because that can take away the choice you should have in determining what applications to install on your computer.

By October 2016, MSRT detected and removed most of the malware families in this suite:

  • Sasquor, which changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent, and can install other malware like Xadupi and Suweezy
  • SupTab, which also changes browser search and homepage settings, and installs services and scheduled tasks that regularly install additional malware
  • Suweezy, which attempts to modify settings for various antivirus software, including Windows Defender, creating a significant danger to your computer’s overall security
  • Xadupi, which registers a service that regularly installs other apps, including Ghokswa and SupTab, and is ostensibly an update service for an app that has some user-facing functionality: CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files
  • Ghokswa, which installs a customized version of Chrome or Firefox browsers, modifying the home page and search engine front-end or stopping processes and replacing shortcuts and associations for the legitimate browser with ones pointing to its own version

This month, we’re adding Chuckenit, the last remaining malware in this group, to MSRT, helping make sure the whole suite is detected and removed from your computer and doesn’t interfere with your computing experience.

Chuckenit is an application called “Uncheckit”, whose main purpose is to uncheck checkboxes in installation dialogue boxes, effectively messing with choices without your knowledge during installation.

Chuckenit is installed together with Suptab and Ghokswa when Xadupi downloads and installs updates. Xadupi, meanwhile is installed by Sasquor, although it may also be installed directly by software bundlers.

chuckenit-infection_chart1

Figure 1. Chuckenit is installed silently by Xadupi, which is installed by Sasquor.

chuckenit-infection_chart2

Figure 2. Xadupi may also be installed directly by software bundlers, such as ICLoader.

Similar to the other malware in this suite, as part of its installation, Chuckenit adds several Scheduled Tasks and registers a couple of services to automatically download updates, which may come with other applications or malware.

Since May 2016, Windows Defender has encountered this threat in over 418,000 computers, of which 12% are in Brazil, 7% are in India, and 7% are in Russia.

chuckenit-country

Figure 3. Geographic distribution of Chuckenit encounters

Prevention, detection, and recovery

Chuckenit is part of an infection chain that involves malware and software bundlers silently installing other applications. You need security solutions that detect and remove all components of this type of infection.

Ensure you get the latest protection from Microsoft. Keep your Windows operating system and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.

Ensure your antimalware protection, such as Windows Defender and Microsoft Malicious Software Removal Tool, is up-to-date. In Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned. To check and remove excluded items in Windows Defender: Navigate to Settings > Update & security > Windows Defender > Add an exclusion. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove. Click OK to confirm.

Use cloud protection to get protection against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to Settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Use the Settings app to reset to Microsoft recommended defaults that may have been changed by the malware in this suite. Launch the Settings app. Navigate to the Default apps page. From Home go to System > Default apps, then click Reset.

For enterprises, use Device Guard, which can lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run.

Use Windows Defender Advanced Threat Protection to get alerts about suspicious activities, including the download of malware, so you can detect, investigate, and respond to attacks in enterprise networks. Evaluate Windows Defender Advanced Threat Protection for free.

James Patrick Dee
MMPC

Comments (2)

  1. Jim Buba says:

    Brilliant, but… I have one here that was inexorably slow to load and start MSRT on USB. The system disk is a sad composition of copies of previous O/S from XP to ‘almost Win10 for Free’ and running on Win7 Pro. The MSRT didn’t start until AFTER I had opened a Task Manager and a CMD prompt.
    Once started, it flew through the routine, happily enumerating at least 13 infected files, promising to give a detailed report and instructions on what to do next when finished. Four and a half hours later, the MSRT completed and displayed the “No Malicious Software found”.
    Obviously, if I restart the computer, the infected files will still be present, perhaps moved and more robust. It would seem that the March MRST has been compromised.
    Yes, I unloaded unwanted software including all printers, updaters and drivers as well as Office 2007 and ran SDelete on the drive before starting the MSRT.
    The machine is off the network and unable to communicate with the mother-ship. At least I’d like to think so. Security Essentials starts to update, but never finishes. Once this is done, the program displays in GREEN and claims it downloaded the latest signatures, though the date was three days old.
    I have a USB stick here with Excel spreadsheets that were recovered using RECOVA that contain U/I script within the first several columns. My guess is that this where the malicious code ‘runs to hide’, in a file that has been deleted. Certainly, files that are marked for delete (first character changed to ‘?’) are ignored by MSRT. Further, code within an Excel Spreadsheet is also ignored.

    The common denominator between the two is the USB memory stick used to transport files. Both MSE and WindowsDefender have scanned the USBs, finding nothing, but given the above, the ‘All Safe’ is false and part of the M.O. of the variant.

    HELP!

    1. Daniel says:

      Sorry about your troubles, I would suggest going into safe mode.
      To go into safe mode, reboot your computer, hold the “options” or “bios” key at the bottom of the screen, and then select safe mode.

Skip to main content