Discord virus. 3 main versions explained and removal provided

Discord virus Removal Guide

What is Discord virus?

Discord virus is a term that unites all the viruses, pop-up ads, and scams distributed via this popular chat application

Discord virusA combination of malware that is distributed via the VoIP application Discord

Discord virus is a set of malware distributed via this very popular chatting platform, which is often used to communicate while playing online video games and is also favored among the security research community. The voice over internet protocol (VoIP) application itself is legitimate and was first launched in 2015, rapidly accumulating user count over the past few years. Unfortunately, unfair individuals can abuse the platform for their own malicious deeds: tamper with the program's client, create malicious servers,[1], and distribute phishing messages aimed to harm users.

In other words, the app itself is reputable and practical, and the term Discord virus is used to describe malicious activities initiated by third-party sources. When abused, victims can be infected with RATs, worms, backdoors, and other malware, as well as disclose sensitive information, resulting in online banking and other user account compromise. As the platform is often used by the gaming community, game-related cheats, currency generators, and hacking activities are also often promoted, infecting scam victims with a virus in the process.

Cybercriminals are also known to alter the installer's functions in a way that allows them to perform malicious activities on the infected machine. Essentially, they modify the original installer and insert the malicious payload into it, which results in a virus installation to unsuspecting users. Such fake client installers are typically propagated via spoofing sites, torrents, and other shady places on the internet. Unfortunately, users are rarely aware of malicious activity on their devices, as they believe that they installed a legitimate version of the app. One of the best examples is Spidey Bot – malware that infected as many as 250 million uses worldwide.

New campaigns of the info-stealer get reported when the updated version of AnarchyGrabber got distributed via hacking forums and YouTube videos. This new version of Discord malware modified client files so that the AV detection can be evaded and user accounts stolen every time anyone logs into the chat service. User tokens get uploaded back to the channel under the attacker's control so they can be collected and used lo plugin as the victim.

Hoaxes about Discord viruses are also prevalent on this VoIP app. Bots are also known to be great additions to various servers used by many. They allow different functionality via commands that regular users or server admins can launch. Nevertheless, some bots were rumored to be causes of information stealing and hacking – one of such cases was started by the user Cia, who was concerned about KawaiiBot.[2]

Summary
Name Discord virus
Type Malware
Most common malware types distributed Many different malware types can be distributed through the app, including RATs (Remote Access Trojans), phishing messages, backdoors, info-stealing malware, etc.
Malware examples NanoCore, SpyRat, njRAT, OSX.Dummy, Discordhookhelper.exe, Discordgg.ga virus, Discord gg ga virus, Spidey Bot,[3] AnarchyGrabber
Distribution Malicious attachments, drive-by downloads, phishing campaigns, direct messages using social engineering, other malware.
Main dangers Malware that can be distributed via this application can record passwords, credit card details, personal information, and other sensitive data from the program and directly from the machine; such infiltrations also might result in other malware infections
Symptoms Trojans or backdoors rarely emit any symptoms, but users might experience computer crashes or freezes, slow operation, error messages, etc. If phishing links via the DMs are clicked, the access to the account is blocked and used for spreading the fake messages further
Detection and elimination Install professional anti-malware to remove the infection – we recommend using SpyHunter 5Combo Cleaner or Malwarebytes
System fix Malware can render computers sluggish and laggy, even after its elimination. If you suffer from errors, BSODs, and other stability issues, you can repair your machine after virus elimination with such tools as FortectIntego

When it comes to social media platforms or applications, malicious actors always target users with scams and phishing attacks. Discord is no exception. For years, since the initial release of this social network, it was known that various malicious DMs (Direct Messages) are spreading, aiming to infect unsuspecting victims with viruses.

One of the most prominent examples is the so-called Discordgg.ga virus. Malicious actors promise users a free Nitro subscription and redirect them to a spoofing site that harvests login details. These are later used in a further phishing scheme that can lead to serious privacy issues.[4]

Most of the malware delivered through this chatting app is Remote Access Trojans[5] (RATs). These malicious applications are installed with users' permission, although victims are not aware of it (typically, phishing techniques are used to make the user click on malicious links or attachments). As soon as malware downloaded via Discord is settled, it grants itself administrative rights, and the host system is used to distribute the RAT even further – that is how a botnet is established.

RATs that are common in virus attacks include:

  • NanoCore (Trojan.Nancrat)
  • SpyRat (Backdoor.Ratenjay)
  • njRAT (W32.Spyrat)
  • OSX.Dummy

All the viruses mentioned above are capable of various malicious activities on the targeted PC, including monitoring the behavior of the victim, recording keystrokes, taking screenshots, using the webcam to record the video, formatting drives, starting or shutting down various system processes, as well as installing additional malicious files on the system. Before that happens, users are advised to regularly scan their machines using security software and take care of virus removal if it was detected on the device.

Additionally, specific hacking tools are being advertised as legitimate. Malware authors claim that the hacking tool can allegedly steal passwords of other users. However, as soon as victims agree to download the application, they become victims of a phishing attack, compromising personal information in the process. In other words, cheating and hacking only increases the chances of being infected with Discord virus, so it is best to refrain from such malicious activities in the first place. Discord malwareWhile Remote Access Trojans are the most popular types of malware distributed via Discord, simple spoofing pages that harvest credentials can also be tools for hackers to use for personal gain Targets of Discord virus are usually gamers and video game streamers. The latter ones often employ the program to stream gaming sessions for entertainment purposes. Hackers often target personal information that is related to online gaming, such as:

  • Login credentials;
  • In-game currency;
  • Contacts;
  • Items, etc.

This data can be used for financial gain in the same way that hackers use when they steal private information like name and surname, address, email, social media credentials, etc. (which can also be harvested by cybercriminals in the process).

As evident, these actions pose serious personal safety concerns and can result in identity theft or money loss. To make sure you are not a victim of such a consequence, better remove the virus as soon as possible. For that, you should install reputable security software such as SpyHunter 5Combo Cleaner or Malwarebytes and perform a full system scan.

Security researchers[6] warn that RATs can disable anti-virus programs in some situations, so starting the computer in Safe Mode with Networking is an option. Finally, if you feel that your computer does not work just as well as before malware intrusion, you can scan it with FortectIntego to fix virus damage and repair the registry, which will make your computer work as well as before virus infection.

KawaiiBot virus is a hoax, although server owners should be careful when implementing bots, as they might be used for malicious purposes in Discord

Discord's KawaiiBot is not a virus, although recently, a heated debate was established between users of the app as well as safety advocates. The bot can be found on the official website hxxps://kawaiibot.xyz (it does not need to be downloaded to the machine to be functional), and its source code can be viewed via the Github platform online.

Nevertheless, the rumor of KawaiiBot virus began when a user under the name of Cia posted a highly-shared post that read:

As most of you know, a virus attacked discord a little ago and hijacked thousands of accounts. The creators of this virus are at it again, and have announced that they are going to “nuke discord” on the 27th of July.

To prevent your account from being interfered with, we strongly advise:
1. Enabling two-step authorization in your discord settings.
2. Leaving any server you're in that has KawaiiBot and/or banning KawaiiBot from any server you own or staff in.

The user then proceeds to talk about how the alleged attack will be performed on the 27th of July. However, the KawaiiBot Discord virus's rumor was quickly debunked by its developer AlexFlipnote – the bot runs on a secure server. It does not allow the function of stealing sensitive information like login details from other users.

AlexFlipnote explained the situation in detail that the KawaiiBot bug relied on permission settings that allowed certain unauthorized parties to use the bot to proliferate malicious links that led to malware-laden or spoofing websites (otherwise known as “Nuking Discord”).[7] The solution to this problem is simple, server owners should always use relevant permissions – no bot should have Administrator or “Mention Everyone” access.

In other words, KawaiiBot virus does not exist; any malicious activity connected to the bot is prompted via fake links used by cybercriminals. Users can avoid Discord account compromise if they enable two-factor authentication and never provide their login information on spoofing or other phishing sites. Finally, do not be scared of using servers that use KawaiiBot – it is safe.

KawaiiBot virus is a hoaxKawaiiBot virus is a hoax - the bot cannot be used to steal sensitive user information, while malicious links embedded via using the bot can. Therefore, server owners should always ensure to enable relevant permissions to KawaiiBot to avoid malicious actors from abusing it via the "at everyone" function

Most prominent versions, scams and hoaxes

There are tons of scams and malware that use this platform's name to spread around and mislead users. However, some of the phishing links work for a few months until malware researchers' reports and are not that dangerous besides being misleading or deceptive. Byt malware creators also renew their campaigns and release updated versions of malware, revamp their malicious sites, and otherwise remain active with the same Discord malware version, so these are a few of the most dangerous ones, worth in-depth description and warnings:

Discordhookhelper.exe virus

Discord Hook Helper virus term originated from several discussion boards on Reddit[8] and other sources, where users claimed that their Kaspersky, AVG, or Avast security software flagged Discordhookhelper.exe as malicious. The file itself resides in the subfolder of C:\Users\username\AppData\Roaming\discord\version\modules\discord_hook and can be found on Windows operating systems running the app.

Additionally, some users complained that the chatting app itself is constantly trying to install Discordhookhelper.exe as soon as the app is opened, which prompted many to believe that it is unusual behavior and that file might be a virus. However, in most cases, this component is legitimate and is responsible for scanning users' machines during the gameplay (the feature shows users' contacts which games are being played by them), as well as overlay communication features.

The reason why AV engines marked the file as malicious is simply a false-positive, as confirmed by the app itself on Twitter.[9] Nevertheless, that does not mean that Discordhookhelper.exe virus infection is impossible, as hackers can name executables as they want, so each of the cases should be investigated further. We advise users to perform a scan with alternative anti-malware software or upload the file to Virus Total or another online file analysis service.

Discord Spidey Bot virus

October of 2019 came out with new reports about malware involving chatting platform. A new piece of malware dubbed Spidey Bot was discovered affecting Windows Discord clients with the application's altered code version. Reports revealed that the fact about HTML, CSS, and JavaScript functionality allows malware creators to modify important core files to execute malicious behavior once the actual application is closed and the malicious one restarted instead.

It is suspected that particular malware travels via chats and posing as cheats for games while initially installing malicious software. It is hard to tell if you have this malware on the system since it has no distinct symptoms and doesn't alter particular features on the machine.

This Spidey Bot injects itself into Discord's code and targets to steal usernames, email addresses, IP addresses, phone numbers, app information, and payment details. Also, threat copies the last 50 characters saved in the clipboard. Unfortunately, that is the biggest issue that can pose dangers to your identity and privacy because passwords, credit card credentials, and similar information that may be copied there can be used in secondary scams and malicious campaigns.

The best method that helps to remove malware is anti-malware tools and full system scans, but you can also check to see if the virus is running on the system. Spidey Bot mainly targets these files in the app's folders:

%AppData%\Discord\[version]\modules\discord_modules\index.js
%AppData%\Discord\[version]\modules\discord_desktop_core\index.js.

Open each of those using Notepad: one line of code should be in both of them. When there is more than a single code line, you can be sure that Discord build on your PC is compromised.

Discord virus phishing campaignA term that names various malicious campaigns spreading on this network including phishing campaigns and malware dropping

Discordgg.ga phishing link

The campaign starts with a direct message from somebody in the friend list, which prompts users to open a fake link discordgg.ga – it seems to be connected to the official app site. Unfortunately, when looking closely, you can see that this website a mockup of the official social network page. The phishing message claims that you can get the Discord Nitro for free, which is a scam.

Unfortunately, by falling for the discordgg.ga virus, you allow scammers to obtain account information that can be used to spread the campaign further. The embed of the link is forged, and the redirect leads to a site that records information. In other words, if you are receiving a link from your friend that prompts you to click on a discordgg.ga link, it means his or her account got hijacked in this exact way.

Here's what the phishing message looks like:

Yo, friend gave me a referral link to get Discrod nitro for free
https://discordgg.ga/nitro/redeem/nA94n19amD9a4
It worked on my alt, but you can only apply one per IP So try it out 🙂
If you already have nitro it will give you the next month free

Once the malicious link is clicked, it brings you to the spoofing site,[10] which asks you to enter their login information to receive the Discord Nitro for free allegedly. Hackers then lock you out of the profile and can DM other server members, group chats with all the malicious links. You can make a new account and try to inform as many people in your circle to let them know about the phishing campaign.

You can attempt to log out these people from the account by changing the password and enabling the two-way-authentication. Don't fall for the scam when you receive a message from a friend or a person you know and inform that friend has a virus and a compromised account.

Although the Discordgg.ga domain got banned by the company itself, this campaign might repeat itself via other malicious sites. Keep the machine clean from such threats by employing tools based on their detection rates[11] and later eliminating virus damage by scanning the system with the FortectIntego tool.

Discord network virusA term used to describe malicious links, phishing DMs and other suspicious activity that is initiated by malicious parties via app

A chat program that rapidly gained popularity

Many users have used chatting programs since mIRC and ICQ times, later turning to Skype and Facebook messenger. Gamers used TeamSpeak, Mumble, and Ventrilo for their communications but often required players to share various IP addresses and/or were not free to use and were resource-heavy, which is a huge disadvantage when playing games.

Thus, Discord was created in 2015 as an alternative VoIP application that is lightweight, innovative, and user-friendly. Additionally, it was supported on multiple platforms, including Windows, Android, macOS, iOS, Linux, as well as the web browsers, and can be used in 27 different languages. The app's simplicity is what added to its popularity, as any user can create a server or a group in just a few seconds. Thus, the user count that used the app grew, and, according to the latest statistics, this program is favorited by 250 million users worldwide (July 2019 data).

Unfortunately, bad actors reacted to the app's booming fame and were well prepared to use Discord malware for their malicious deeds. While some criminals hosted viruses on the created servers, others use the platform as an alternative to the black marked on Dark Web and sell sensitive information or malware. Discord phishingSome viruses that are spread on the platform might even try phishing your data.

Platform is used to distribute viruses and other malware

Discord users can upload files like pictures, videos, and other attachments on the application using the chat feature. Since the app allows anybody to upload almost all kinds of data, malware authors can use the feature to their advantage. While the app's team applied additional security measures over time, malware on the platform is still prevalent and should be taken seriously.

Users are merely baited to open the malicious attachments in sophisticated phishing attacks via the created servers' chat function. Some attackers don't even have to create their own servers, as they can manually post the virus on the server they have been invited to.

To avoid the dangerous consequences of the data-harvesting malware, users should never click on suspicious links in chats, even if they come from people on their friend list. Users reported that particular instant invite messages were turned into malicious links without their knowledge.

Remove viruses and protect your computer

To remove Discord virus from your computer, you will have to employ reputable security software. Remote Access Trojans often use obfuscation techniques and show no symptoms of presence whatsoever. Therefore, detecting malware without using professional tools might be impossible. Additionally, if you recently clicked on a link that you think might be suspicious, you should immediately assume that malware could be hiding on your computer.

Download SpyHunter 5Combo Cleaner or Malwarebytes, or another powerful anti-malware app for effective virus removal. Make sure that the security software is up to date before performing the scan. In case the malicious software prevents you from starting anti-virus correctly, enter Safe Mode with Networking as explained below.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Discord virus. Follow these steps

Manual removal using Safe Mode

In case malware is blocking security software from working properly, enter Safe Mode with Networking the following way:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Discord using System Restore

To stop the virus from the operation, use the System Restore function:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Discord. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Discord removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Discord and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting system tools

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References
Removal guides in other languages