MSRT October 2016 release: Adding more unwanted software detections

ID MMPC:6C8B3D35BA3426C9FD05EA44B4A54FB8
Type mmpc
Reporter msft-mmpc
Modified 2016-10-11T19:22:50


Unwanted software often piggy-backs on program downloads, delivered by software bundlers. These bundles, which you might have downloaded, can include software that you do not want, and some that are harmful.

The bundled or “extra” software can perform actions on your device that run the gambit from unwanted to annoying to malicious. The threat that comes with it can go beyond changing your browser settings without your consent, or affecting your productivity and computing experience. The nuisance can run as deep as putting your PC’s security at risk (for example, installing malware in your PC, or preventing your PC from running your antivirus tools properly).

This month, we are adding detections for the families BrowserModifier:Win32/Sasquor, BrowserModifier:Win32/SupTab, and Trojan:Win32/Ghokswa to Microsoft Malicious Software Removal Tool (MSRT) release.

In combination with the families Trojan:Win32/Xadupi and Trojan:Win32/Suweezy added last month, these cover a suite of malware that can hijack browser settings, exclude entire drives from being scanning by Windows Defender and some other anti-malware apps, and install potentially unwanted or malicious software without your consent.

Entry point

In most cases, these malware families initially arrive as offers installed by software bundlers such as SoftwareBundler:Win32/Mizenota, SoftwareBundler:Win32/ICLoader and SoftwareBundler:Win32/InstallMonster.

SupTab and Sasquor have been offered by bundlers under many names, including:

  • Istartpageing
  • Omniboxes
  • Yoursearching
  • iStart123
  • Hohosearch
  • Yessearches
  • Youndoo
  • Trotux

Screenshot SoftwareBundler:Win32/InstallMonster being downloaded with details of its offering SupTab under the name "Yoursearching"

Figure 1: SoftwareBundler:Win32/InstallMonster offers SupTab under the name "Yoursearching"

Some bundlers show SupTab or Sasquor offers not as an app they will install, but simply as a change to your browser search and homepage settings.

Screenshot of the SoftwareBundler:Win32/SquareNet licensing agreement offering SupTab under the name "iStart123".

Figure 2: SoftwareBundler:Win32/SquareNet offering SupTab under the name "iStart123". Note: While the bundler claims that agreeing to this offer will change your browser settings, if you click “Agree & Install” it will also install SupTab services that perform other actions.

The Xadupi malware family comes in three different forms, which go by the names CornserSunshine, WinZipper, and QKSee.

Like Sasquor and SupTab, Xadupi can be delivered by software bundlers, but it is also often downloaded silently by Sasquor or SupTab themselves. This silent installation technique is common to most of the families in this group - Sasquor, SupTab and Xadupi all install services and/or scheduled tasks that regularly query remote servers for instructions, and are occasionally instructed to download and install additional apps. This download and installation happens without your consent or even notice. For example, weeks after Sasquor has been installed through a bundler, you may suddenly find WinZipper and QKSee on your machine, with .ZIP, .RAR, and other archive files suddenly associated with WinZipper. A few days after that, you may find your browser settings silently changed by SupTab or Ghokswa.

These diagrams illustrate some of the most common ways these families interact:

A relational diagram indicating how the unwanted software and malware are being installed by each other


In addition to these common installation chains, Sasquor, SupTab, and Xadupi can be instructed by its malware hosts to install each other at any point. Such behavior can help keep the malware alive on a machine longer – if one component is left behind, it can reinstall the others.

What does all this malware do in addition to installing other bits of malware?

Each family can serve multiple purposes and change over time, but here’s a summary:

BrowserModifier:Win32/Sasquor: Changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent. It generally targets Google Chrome and Mozilla Firefox users. It also installs services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi. It also sometimes installs Trojan:Win32/Suweezy.

BrowserModifier:Win32/SupTab: Changes browser search and homepage settings, circumventing the browser’s supported methods and bypass your consent. It usually targets Internet Explorer, Microsoft Edge, Google Chrome and Mozilla Firefox. It also installs services and scheduled tasks that regularly install additional or another type of malware.

Trojan:Win32/Suweezy: Attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to exclude certain folders from being scanned. This can prevent detection and removal of the related malware like Sasquor and SupTab, as well as any other malware or unwanted software the machine might encounter. Suweezy usually adds C:\ to the exclusion list, which includes everything under that path, hence creating a significant and imminent danger to your computer’s overall security, by making that path unprotected by your antimalware software.

Trojan:Win32/Xadupi: Installs a service that regularly installs other apps, including Ghokswa and SupTab. This service is ostensibly an update service for an app that has some user-facing functionality – CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files.

Trojan:Win32/Ghokswa: Installs a customized version of Chrome or Firefox browsers. The Chrome version represents itself as Google Chrome, but is modified to use a different home page and search engine front-end. If Google Chrome is already installed when Ghokswa is downloaded by Xadupi, the Ghokswa installer will silently stop any running Google Chrome processes, and replace all shortcuts and associations for the real Google Chrome with ones pointing to its own version.

Together, these malware families can greatly harm your Windows user experience, and in many cases seriously reduce your computer’s security by tampering with anti-virus apps and introducing new harmful software over time.

Prevention, detection, and recovery

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Use Microsoft Edge. It can:
    • Help warn you about sites that are known to be hosting exploits
    • Help protect you from socially-engineered attacks such as phishing and malware downloads
    • Automatically detect bad changes and protects settings
  • Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed.
    • Launch the Settings app.
    • Navigate to the Default apps page_._
    • From Home go to System > Default apps.
    • Click Reset.
  • Avoid browsing web sites that are likely to host malware (such as illegal music, movies and TV, and pirated software download sites)
  • Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
    • If you are using Windows Defender, you can check your exclusion settings to see whether the malware (for example, Trojan:Win32/Suweezy) added some entries in an attempt to exclude folders from being scanned.
    • To check and remove excluded items in Windows Defender:
      1. Navigate to Settings > Update & security > Windows Defender > Add an exclusion.
      2. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove.
      3. Click OK to confirm.
  • Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based unwanted software detection and blocking.

Related information

See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.

For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs: