Unwanted software often piggy-backs on program downloads, delivered by software bundlers. These bundles, which you might have downloaded, can include software that you do not want, and some that are harmful.
The bundled or “extra” software can perform actions on your device that run the gambit from unwanted to annoying to malicious. The threat that comes with it can go beyond changing your browser settings without your consent, or affecting your productivity and computing experience. The nuisance can run as deep as putting your PC’s security at risk (for example, installing malware in your PC, or preventing your PC from running your antivirus tools properly).
This month, we are adding detections for the families BrowserModifier:Win32/Sasquor, BrowserModifier:Win32/SupTab, and Trojan:Win32/Ghokswa to Microsoft Malicious Software Removal Tool (MSRT) release.
In combination with the families Trojan:Win32/Xadupi and Trojan:Win32/Suweezy added last month, these cover a suite of malware that can hijack browser settings, exclude entire drives from being scanning by Windows Defender and some other anti-malware apps, and install potentially unwanted or malicious software without your consent.
In most cases, these malware families initially arrive as offers installed by software bundlers such as SoftwareBundler:Win32/Mizenota, SoftwareBundler:Win32/ICLoader and SoftwareBundler:Win32/InstallMonster.
Figure 2: SoftwareBundler:Win32/SquareNet offering SupTab under the name "iStart123". Note: While the bundler claims that agreeing to this offer will change your browser settings, if you click “Agree & Install” it will also install SupTab services that perform other actions.
The Xadupi malware family comes in three different forms, which go by the names CornserSunshine, WinZipper, and QKSee.
Like Sasquor and SupTab, Xadupi can be delivered by software bundlers, but it is also often downloaded silently by Sasquor or SupTab themselves. This silent installation technique is common to most of the families in this group - Sasquor, SupTab and Xadupi all install services and/or scheduled tasks that regularly query remote servers for instructions, and are occasionally instructed to download and install additional apps. This download and installation happens without your consent or even notice. For example, weeks after Sasquor has been installed through a bundler, you may suddenly find WinZipper and QKSee on your machine, with .ZIP, .RAR, and other archive files suddenly associated with WinZipper. A few days after that, you may find your browser settings silently changed by SupTab or Ghokswa.
These diagrams illustrate some of the most common ways these families interact:
In addition to these common installation chains, Sasquor, SupTab, and Xadupi can be instructed by its malware hosts to install each other at any point. Such behavior can help keep the malware alive on a machine longer – if one component is left behind, it can reinstall the others.
Each family can serve multiple purposes and change over time, but here’s a summary:
BrowserModifier:Win32/Sasquor: Changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent. It generally targets Google Chrome and Mozilla Firefox users. It also installs services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi. It also sometimes installs Trojan:Win32/Suweezy.
BrowserModifier:Win32/SupTab: Changes browser search and homepage settings, circumventing the browser’s supported methods and bypass your consent. It usually targets Internet Explorer, Microsoft Edge, Google Chrome and Mozilla Firefox. It also installs services and scheduled tasks that regularly install additional or another type of malware.
Trojan:Win32/Suweezy: Attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to exclude certain folders from being scanned. This can prevent detection and removal of the related malware like Sasquor and SupTab, as well as any other malware or unwanted software the machine might encounter. Suweezy usually adds C:\ to the exclusion list, which includes everything under that path, hence creating a significant and imminent danger to your computer’s overall security, by making that path unprotected by your antimalware software.
Trojan:Win32/Xadupi: Installs a service that regularly installs other apps, including Ghokswa and SupTab. This service is ostensibly an update service for an app that has some user-facing functionality – CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files.
Trojan:Win32/Ghokswa: Installs a customized version of Chrome or Firefox browsers. The Chrome version represents itself as Google Chrome, but is modified to use a different home page and search engine front-end. If Google Chrome is already installed when Ghokswa is downloaded by Xadupi, the Ghokswa installer will silently stop any running Google Chrome processes, and replace all shortcuts and associations for the real Google Chrome with ones pointing to its own version.
Together, these malware families can greatly harm your Windows user experience, and in many cases seriously reduce your computer’s security by tampering with anti-virus apps and introducing new harmful software over time.
To help stay protected:
See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.
For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs: