Severity scale:  

Remove NanoCore virus (Virus Removal Instructions) - Free Guide

removal by Olivia Morelli - - | Type: Trojans

NanoCore virus is a sophisticated trojan that threat actors utilize to remotely control the infected machine

NanoCoreNanoCore virus is a remote access trojan (RAT) that allows the attackers to take over the host machine

NanoCore virus is a backdoor and a remote access trojan that is used in a variety of campaigns by various cybercriminal groups. The malware is typically distributed with the help of malicious spam email attachments,[1] where hackers use botnets to send thousands of emails to malicious victims, although users could also get infected with it once they download an infected file from a third-party site. Some variants of NanoCore RAT were spotted using a fileless infection[2] method – malicious files are embedded into memory instead of writing them on the disk, which provides the malware with increased stealth capabilities.

The main function of NanoCore virus is to grant remote access to the computer to threat actors. Once that is achieved, they can control the machine in many different ways, such as take screenshots, record keystrokes, collect passwords, gather technical information, steal emails, and much more. NanoCore is one of the most dangerous RATs, available to buy or even get for free, as the source code has been leaked multiple times online.

Name NanoCore virus 
Type Remote Access Trojan
Operation Deactivates Windows recovery functions like startup repair and restore points, disables the Task Manager and UAC, modifies Windows registry, opens a backdoor, etc.
Activities NanoCore allows malicious actors to take complete control over the infected machine: take screenshots, steal passwords, record keyboard inputs, send spam, steal files, and perform other actions
Similar RATs NjRat, NetWire, Orcust, Poison-Ivy, DarkComent, etc.
Distribution methods  Malicious spam email attachments and infected files downloaded from various websites 
Main malware components  ufj=ked, cxf.exe, qnb.jpg
Related process Default Document Handler (32 bit)

AV detection on Virus Total:

  • AI:Packer.EF0DFF6317
  • W32/NanoCore.E!tr
  • Backdoor.MSIL.NanoBot.alqf
  • Trojan.GenericKD.41192708 (B)
  • Win-Trojan/AutoInj.Exp
  • Backdoor:MSIL/Noancooe.B
  • Trojan.Script.Nanocore.fpbxft, etc.
Termination Access Safe Mode with Networking as explained below and perform a full system scan
System recovery  RATs heavily modify Windows settings and alter various system files. Post-removal, the files might remain damaged, resulting in the computer malfunction, crashes, errors, etc. To recover from malware infection without having to reinstall the operating system, you can use ReimageIntego repair tool 

Besides gathering information, NanoCore is also capable of opening a backdoor – meaning, that the threat actors can use the machine for other malicious purposes, such as sending spam emails from it (basically, including it into the already existing botnet) and proliferating other malware. As a result, the trojan can spread to other victims much faster, and also infect hosts with devastating malware like ransomware. NanoCore virus removal is necessary for the safety of any machine and as well as its owner.

To remove NanoCore virus from the system, infected users should access Safe Mode with Networking and perform a full system scan with powerful anti-malware software. For more details, please refer to the bottom section of the article.

NanoCore is a modular malware – it incorporates various modules, each of which is responsible for different tasks on the infected computer. Upon initial execution of the malicious payload, the malware performs a variety of Windows system changes, including:

  • Checks for the prescience of anti-virus software;
  • Checks whether it encountered a sandbox environment or a virtual machine – exists if that is the case;
  • Places a randomly-named executable into the %APPDATA% folder, which is set to “read-only” and “hidden” setting;
  • Deletes certain settings profiles within the %APPDATA% folder;
  • Heavily modifies various keys within the Windows registry.

For persistence, NanoCore virus disables the User Account Control (UAC), disables the Task Manager, removes system restore points, and adds a Windows Update key to the registry to boot with every system launch.

NanoCore virusNanoCore is a type of malware that disables several Windows functions in order to spy on the infected users

During the analysis of NanoCore virus, the researchers from Morphisec[3] found that the malware is written relatively badly, as it contains a variety of useless code lines, bad values, and meaningless comments, which required cleaning. Nevertheless, much of the malware code was obfuscated or encrypted.

Currently, NanoCore is one of the most sophisticated and dangerous RATs available to threat actors – they also more often than not use legitimate Windows processes in order to inject malicious files into the machine's memory instead of the disk, remaining undetected during the whole process.

Fileless infection methods might prevent AVs to stop the intrusion of NanoCore

NanoCore trojan is a multi-stage malware, which means that it uses several different stages to infect the machine. This functionality is particularly useful as it helps the virus to evade detection, disable certain vital Windows functions, and remain on the system undetected.

NanoCore virus has been mainly distributed by malicious email attachments – these usually use social engineering in order for the victim to open the malicious document. Most commonly, threat actors copy the attributes of an official company and try to make users believe that the attachment contains important information, which prompts them to open it. In most of the cases, hackers leverage malicious macros and scripts embedded within .docx, .vbs, .pdf, and other files.

There are three different ways NanoCore virus starts its infection process:

  • Changing the original Autoit3.exe into a malicious cxf.exe 
  • Using PowerShell commands.
  • Using the malicious AutoIT script.

While all of these methods differ in the background, they all result in the download and execution of the malicious NanoCore trojan. In some cases, the usage of a malicious AutoIT script, which is a legitimate tool which allows the administrators to automate Windows GUI and general scripting, allows the attackers to bypass the User Account Control and infect the malicious payload directly into memory, preventing anti-virus tools from spotting the entry of malware.

NanoCore fileless infectionNanoCore is known to use fileless infection - a method where data is written into memory instead of the hard disk

Delete NanoCore virus for your own safety

The main danger of remote access trojans is that they rarely emit any obvious symptoms that less experienced computer users would notice. Nevertheless, the presence of NanoCore virus on the computer can be immediately spotted after notifying that several Windows functions don't work as intended (for example, pressing Ctrl + Shift + Del would not call up a Task Manager since it is disabled by malware) and several processes and other entries are present on the system. Therefore, if you notice that Windows does not do what it is supposed to do, you should scan your machine with anti-malware software and remove NanoCore at once – refer to the instructions below.

Note that stopping the malware might prove difficult for many anti-virus programs, as it often uses a fileless infection method – this prevents AVs from detecting the initial malicious activity. Nevertheless, most of the advanced security solutions should be capable of performing NanoCore virus removal as soon as it starts to perform its post-infection activities. Therefore, it is vital to keep a powerful anti-malware running on the system at all times.

Once you get rid of NanoCore trojan, you might find that Windows is broken – it crashes, errors pop-up often, programs don't launch, etc. This is very common after a malware infection, as it heavily modifies system files, and, once anti-virus removes malicious entries, the infected files remain broken. To fix that, we highly recommend using ReimageIntego – it can repair the OS without the need to reinstall it.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove NanoCore virus, follow these steps:

Remove NanoCore using Safe Mode with Networking

Access Safe Mode with Networking in order to perform a full system scan with anti-malware and remove NanoCore virus:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove NanoCore

    Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete NanoCore removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NanoCore and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions