NanoCore virus (Tutorial)

NanoCore virus Removal Guide

What is NanoCore virus?

NanoCore virus is a dangerous trojan that uses spam email campaigns to spread around

NanoCoreThe virus is a remote access trojan (RAT) that allows the attackers to take over the host machine

NanoCore virus is a backdoor and a remote access trojan that is used in a variety of campaigns by various cybercriminal groups. The malware is typically distributed with the help of malicious spam email attachments,[1] where hackers use botnets to send thousands of emails to malicious victims, although users could also get infected with it once they download an infected file from a third-party site. Some variants of NanoCore RAT were spotted using a fileless infection[2] method – malicious files are embedded into memory instead of writing them on the disk, which provides the malware with increased stealth capabilities.

The main function of the virus is to grant remote access to the computer to threat actors. Once that is achieved, they can control the machine in many different ways, such as take screenshots, record keystrokes, collect passwords, gather technical information, steal emails, and much more. NanoCore is one of the most dangerous RATs, available to buy or even get for free, as the source code has been leaked multiple times online.

Name NanoCore virus
Type Remote Access Trojan
Operation Deactivates Windows recovery functions like startup repair and restore points, disables the Task Manager and UAC, modifies Windows registry, opens a backdoor, etc.
Steals Usernames, passwords, account information, email credentials, FTP client information
Activities Threat allows malicious actors to take complete control over the infected machine: take screenshots, steal passwords, record keyboard inputs, send spam, steal files, and perform other actions
Similar RATs NjRat, NetWire, Orcust, Poison-Ivy, DarkComent, etc.
Distribution methods Malicious spam email attachments and infected files downloaded from various websites
Main malware components ufj=ked, cxf.exe, qnb.jpg
Related process Default Document Handler (32 bit)

AV detection on Virus Total:

  • AI:Packer.EF0DFF6317
  • W32/NanoCore.E!tr
  • Backdoor.MSIL.NanoBot.alqf
  • Trojan.GenericKD.41192708 (B)
  • Win-Trojan/AutoInj.Exp
  • Backdoor:MSIL/Noancooe.B
  • Trojan.Script.Nanocore.fpbxft, etc.
Termination Access Safe Mode with Networking as explained below and perform a full system scan
System recovery RATs heavily modify Windows settings and alter various system files. Post-removal, the files might remain damaged, resulting in computer malfunction, crashes, errors, etc. To recover from malware infection without having to reinstall the operating system, you can use FortectIntego repair tool

Besides gathering information, NanoCore is also capable of opening a backdoor – meaning, that the threat actors can use the machine for other malicious purposes, such as sending spam emails from it (basically, including it into the already existing botnet) and proliferating other malware.

As a result, the trojan can spread to other victims much faster, and also infect hosts with devastating malware like ransomware. The proper virus removal is necessary for the safety of any machine and as well as its owner.

To remove viruses from the system, infected users should access Safe Mode with Networking and perform a full system scan with powerful anti-malware software. For more details, please refer to the bottom section of the article.

NanoCore is a modular malware – it incorporates various modules, each of which is responsible for different tasks on the infected computer. Upon initial execution of the malicious payload, the malware performs a variety of Windows system changes, including:

  • Checks for the prescience of anti-virus software;
  • Checks whether it encountered a sandbox environment or a virtual machine – exists if that is the case;
  • Places a randomly-named executable into the %APPDATA% folder, which is set to “read-only” and “hidden” setting;
  • Deletes certain settings profiles within the %APPDATA% folder;
  • Heavily modifies various keys within the Windows registry.

For persistence, NanoCore virus disables the User Account Control (UAC), disables the Task Manager, removes system restore points, and adds a Windows Update key to the registry to boot with every system launch.

NanoCore virusThe malware disables several Windows functions in order to spy on the infected users

During the analysis of the virus, the researchers from Morphisec[3] found that the malware is written relatively badly, as it contains a variety of useless code lines, bad values, and meaningless comments, which required cleaning. Nevertheless, much of the malware code was obfuscated or encrypted.

Currently, NanoCore is one of the most sophisticated and dangerous RATs available to threat actors – they also more often than not use legitimate Windows processes in order to inject malicious files into the machine's memory instead of the disk, remaining undetected during the whole process.

Fileless infection methods might prevent AVs to stop the virus intrusion

NanoCore trojan is a multi-stage malware, which means that it uses several different stages to infect the machine. This functionality is particularly useful as it helps the virus to evade detection, disable certain vital Windows functions, and remain on the system undetected.

The RAT virus has been mainly distributed by malicious email attachments – these usually use social engineering in order for the victim to open the malicious document. Most commonly, threat actors copy the attributes of an official company and try to make users believe that the attachment contains important information, which prompts them to open it. In most of cases, hackers leverage malicious macros and scripts embedded within .docx, .vbs, .pdf, and other files.

There are three different ways virus starts its infection process:

  • Changing the original Autoit3.exe into a malicious cxf.exe
  • Using PowerShell commands.
  • Using the malicious AutoIT script.

While all of these methods differ in the background, they all result in the download and execution of the malicious NanoCore trojan. In some cases, the usage of a malicious AutoIT script, which is a legitimate tool that allows the administrators to automate Windows GUI and general scripting, allows the attackers to bypass the User Account Control and infect the malicious payload directly into memory, preventing anti-virus tools from spotting the entry of malware.

NanoCore fileless infectionThreat is known to use fileless infection - a method where data is written into memory instead of the hard disk

NanoCore trojan elimination is possible

The main danger of remote access trojans is that they rarely emit any obvious symptoms that less experienced computer users would notice. Nevertheless, the presence of NanoCore virus on the computer can be immediately spotted after notifying that several Windows functions don't work as intended (for example, pressing Ctrl + Shift + Del would not call up a Task Manager since it is disabled by malware) and several processes and other entries are present on the system.

Therefore, if you notice that Windows does not do what it is supposed to do, you should scan your machine with anti-malware software and remove all threats at once – refer to the instructions below. You can try SpyHunter 5Combo Cleaner or Malwarebytes for the job.

Note that stopping the malware might prove difficult for many anti-virus programs, as it often uses a fileless infection method – this prevents AVs from detecting the initial malicious activity. Nevertheless, most of the advanced security solutions should be capable of performing NanoCore virus removal as soon as it starts to perform its post-infection activities. Therefore, it is vital to keep a powerful anti-malware running on the system at all times.

Once you get rid of the trojan, you might find that Windows is broken – it crashes, errors pop up often, programs don't launch, etc. This is very common after a malware infection, as it heavily modifies system files, and, once anti-virus removes malicious entries, the infected files remain broken. To fix that, we highly recommend using FortectIntego – it can repair the OS without the need to reinstall it.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of NanoCore virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NanoCore and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting trojans

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions