Kovter malware analysis: the dangerous Trojan horse spreads numerous cyber infections since 2013
Kovter.C is a dangerous trojan that is known for cyber security specialists at least since 2013. Back then it was acting like a file-encrypting virus that pretended to be a notice from police. However, in 2014, cyber criminals decided to use a new tactic and utilized trojan for click frauds.
During the time trojan’s operation become more sophisticated. In the middle of 2015, researchers spotted a brand new version of Kovter has adopted similar techniques as Poweliks virus, meaning that malware became fileless.
Typically, Kovter spreads via exploit kits. Malware has been noticed spreading via popular trojan downloader Nemucod. Once installed on the system, malware places itself in Windows registry. This feature makes malware hard to detect. However, antivirus utilities might discover this malicious programs under the names of Trojan:Win32/Kovter.C, Troj/Kovter-C, or similar.
After the attack, Kovter virus can give its owner a remote access to affected PC system. After doing so, the attacker gets an ability to control everything that is installed on PC. This activity is usually initiated from a command and control server (C&C).
During a few years of activity, Kovter.C virus has been noticed spreading Kovter ransomware, Locky, click fraud adware and other malicious programs. Nevertheless, these cyber infections function differently on the targeted system; users can suspect about trojans existence from these symptoms:
- Several mshta.exe or powershell.exe processes running in the Task Manager;
- Sluggish computer’s performance;
- Program startup takes more time;
- Inability to access particular websites;
- Increased amount of suspicious online ads;
- Windows PowerShell errors pop up informing about stopped program;
- Unusual disk activity.
If you recognized few of these problems, you should obtain Reimage or another antivirus and run a full system scan. The updated malware elimination tool will remove Kovter malware from the computer quickly and safely.
We do not recommend locating and stopping malicious processes on the computer yourself. Manual Kovter.C removal might lead to irreparable damage to the system. Thus, you should not risk and rely on professional security tool.
Kovter Trojan is closely related to file-encrypting viruses
In 2013 and 2014, Kovter virus acted as a police ransomware virus. According to the security experts, it might be related to Kovter ransomware. After the infiltration, malware delivered a pop-up message telling that user has violated a law. For this reason, files on the computer were locked, and users have to pay a ransom.
In 2016 malware has been noticed spreading crypto-viruses again. Nevertheless, this version of Kovter ransomware had an efficient infiltration mechanism; its ability to encrypt files was not as good. Encrypted data can be easily recovered without following hackers instructions provided in the ransom note.
Finally, at the beginning of 2017, Kovter has been noticed spreading the infamous Locky ransomware virus. Malware has been spreading via malicious spam emails that included a ZIP archive with JScript file. Once victims executed the file, both Locky and Kovter ad-fraud trojan was installed on the computer.
Kovter 2017: click fraud adware attacked millions of Pornhub visitors
In 2014, authors of the Trojan used it for click-fraud activities. Nevertheless, they changed the specifics of their cyber crimes; this year they came back to illegal money-making strategy. In October 2017, malware researchers reported about massive malvertising campaign that targeted millions of Pornhub users. This pornographic website is known as one of the most popular sites in the world. Therefore, there’s no doubt that hackers decided to launch the attack there.
Criminals arranged advanced attack towards the US, Canada, UK and Australian people who accessed this adult-themed website with Google Chrome, Mozilla Firefox, Internet Explorer or Microsoft Edge. While Microsoft’s web browser users were asked to install Adobe Flash Player update, Chrome and Firefox users were notified about the necessity to install a critical update.
When users installed one of these fake updates, malware was installed on the computer and started illegally making incomes from online advertising. No matter that this activity does not seem as dangerous as ransomware attack, users are advised to act quickly. If you visited porn website and installed one of the mentioned updated, obtain antivirus and remove Kovter ASAP.
Distribution methods of the trojan horse and how to avoid it
If you have read the article attentively, you should have already realized that different versions of Kovter.C virus are distributed using specific methods. However, we want to stress out the most popular distribution channels:
- exploit kits;
- malicious spam emails;
In order to avoid Kovter hijack, you should stay away from illegal programs and malicious websites, including adult-themed sites. Security experts from Les Virus also warn that you should also never open unknown email attachments or click on suspicious ads that offer to download critical updates. Keep in mind that legit updates NEVER pop up in your browser.
Instructions for Kovter elimination
If you think that your PC was infected by Kovter.C virus, you should not waste your time and scan it with Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus. It doesn't matter which malware's version affected your device; professional security tools can easily detect and eliminate the infection immediately. However, you should not forget to update your chosen tool first.
If your computer is locked and you cannot remove Kovter.C automatically, you have to follow manual elimination guidelines. Please, be careful in order not to damage the system and uninstall all trojan-related files.
Manual Kovter removal instructions:
- Reboot you infected PC to “Safe mode with command prompt” to disable virus (this should be working with all versions of this threat).
- Run Regedit.
- Search for WinLogon Entries and write down all the files that are not explorer.exe or blank. Replace them with explorer.exe.
- Search the registry for these files you have written down and delete the registry keys referencing the files.
Reboot and run a full system scan with updated Reimage to remove leftovers of this virus.