MSRT June 2017: Removing sneaky Xiazai

  1. Brink's Avatar
    Posts : 41,446
    64-bit Windows 10 Pro build 18965

    MSRT June 2017: Removing sneaky Xiazai

    In the June release of the Microsoft Software Removal Tool (MSRT), we’re adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015.

    Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the impact of its changes can persist long after Xiazai itself is gone. MSRT will remove Xiazai but it will also restore system settings.

    Xiazai’s extra changes affect browsing experience. On top of offering bundled applications during installation, as software bundlers would do, it can modify browsers’ home page so that the browser always opens to a specific website. It can also change browser shortcuts on the desktop and taskbar so that when the browser is launched using these modified shortcuts, it opens the said website.

    This behavior is classified unwanted based on our evaluation criteria. At Microsoft, we work to protect customers’ choice and control of their devices, computing, and browsing experiences. Xiazai violates this by setting the browser to always open a specific website when launched. Even if the user reverts the home page, the browser will continue to open the said website when launched from the taskbar or desktop. This system change takes away control from the user.

    Xiazai is a very prolific threat. We have observed it on more than two million machines since October 2015. It’s also still very active. This year, we blocked some 30K infections on average every month.

    Xiazai: Sneaky browser modifier

    Xiazai can be downloaded from the Internet as an installer for legitimate software, for example, Adobe Photoshop. When run, it offers to download and install Photoshop, as well as several bundled applications, which are selected by default. There is nothing outright malicious at this point, as the user can opt out of installing the bundled applications.

    If the user proceeds, Xiazai downloads the legitimate installer. The installation window asks the user whether to install Photoshop right away or later. And then things get very dodgy.

    More bundled applications are offered, again selected by default. There’s also an option to modify browser settings and browser shortcuts, also selected off by default.

    One of two things can happen at this point:

    1. If the user chooses to install right away, Photoshop is installed, together with the selected bundled applications (six extra applications in total, if the user does not un-select anything), and the browser changes.
    2. If the user chooses to install later, Photoshop is not installed, but the bundled applications are still installed right away and browser settings and shortcuts are modified.

    In the second scenario, the user is never again prompted about Photoshop. To actually install the said application, the user has to manually run the downloaded installer. And this is how the true intent of Xiazai is revealed.

    Xiazai forces the browser to always open a specific website when launched. There are two ways by which Xiazai does this. First, it modifies the default home page in the browser settings.

    Second, it modifies shortcut files on the desktop and on the taskbar to add a URL parameter. With this change, even if the user restores the browser settings, the browser still opens the website when launched from the desktop or taskbar.

    Prevention, detection, and recovery

    You may encounter Xiazai when searching for installers on third-party sites, but you may get more than what you bargained for. It’s a software bundler that does what you’d expect it to do, which is to install legitimate software. However, it also comes with additional, mostly also legitimate, software that you might not need or want. It also modifies your browsing experience in ways that are unexpected, unwanted, and hard to diagnose.

    To stay away from Xiazai, get applications only from official app stores or official vendor websites. Use Microsoft Edge. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block known malicious websites and malicious downloads.

    Get the latest protection from Microsoft. Keep your Windows operating system and antivirus, such as Windows Defender Antivirus and Microsoft Malicious Software Removal Tool (MSRT), up-to-date. If you haven’t already, upgrade to Windows 10.

    Block Xiazai and other threats, including new, never-before-seen variants, in real-time. Instant protection from Windows Defender Antivirus cloud protection service is turned on by default. To check that Real-time protection and Cloud-based protection settings are turned On, launch the Windows Defender Security Center, then go to Settings > Virus & threat protection settings.

    For enterprises, use Device Guard, which can lock down devices and provide kernel-level virtualization-based security. By allowing only trusted applications to run, Device Guard protects devices from Xiazai and other threats.

    Use Windows Defender Advanced Threat Protection to get alerts about suspicious activities, including the download of malware, so you can detect, investigate, and respond to attacks in enterprise networks.

    James Patrick Dee, Eric Avena

    Microsoft Malware Protection Center

    Source: MSRT June 2017: Removing sneaky Xiazai Windows Security

    See also: Malicious Software Removal Tool in Windows Windows 10 Security System Tutorials
      My ComputersSystem Spec

  2. Posts : 5,992
    Dual boot Windows 10 FCU Pro x 64 & current Insider 10 Pro

    Sneaky indeed.

    One of many reasons why I stick with Edge, which recently became my main-use browser.

    Thanks for posting this article, Brink. :)
      My ComputersSystem Spec


Related Threads
Read more: Nintendo at E3 2017 - Home Nintendo of America (@NintendoAmerica) | Twitter See also: E3 2017 | Electronic Entertainment Expo - June 13-15, 2017 E3 Live Schedule
Read more: PlayStation at E3 2017 Game - PlayStation PlayStation (@PlayStation) | Twitter See also: E3 2017 | Electronic Entertainment Expo - June 13-15, 2017 E3 Live Schedule
Read more: E3 2017 - #UBIE3 Kicks off June 12 with Ubisoft Press Conference - UbiBlog - Ubisoft® Ubisoft @ E32017 (@Ubisoft) | Twitter See also: E3 2017 | Electronic Entertainment Expo...
Read more: Xbox E3 Briefing E3 2017 Briefing recap: Introducing Xbox One X and an epic lineup of new games - Windows Experience Blog E3 2017: Everything you need to know about what Xbox shared at the PC Gaming Show - Windows Experience Blog ...
Read more: E3 2017: All The EA Press Conference News From EA Play See also: E3 2017 | Electronic Entertainment Expo - June 13-15, 2017 E3 Live Schedule Also Watch from E3 2017:
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:34.
Find Us