Severity scale:  

Remove Skeleton-Key (Virus Removal Guide) - updated Dec 2019

removal by Gabriel E. Hall - - | Type: Trojans

Skeleton Key is dangerous malware that targets 64-bit Windows machines that are protected with a single-factor authentication method

Skeleton Key virusSkeleton Key is a stealthy virus that spawns its own processes post-infection

Skeleton Key is a Trojan that mainly attacks corporate networks by bypassing the Active Directory authentication systems, as it abuses the single-factor authentication function. In other words, those who use a single password to access their Windows machines connected to a network are in particular danger of being infected with Skeleton Key malware. The malicious actors behind the malware strain can simply use any password and log in as any user, all while not impacting the access of other users connected to the same network.

As soon as the Skeleton-Key virus is installed, it gains access to systems' e-mail and the VPN services and starts harvesting information on the infected device. In such a way, users' passwords, credit card information, and other sensitive data can be easily compromised. The best way to protect yourself from Skeleton-Key malware is to enable two-factor authentication instead of using a simple password for computer protection. Luckily, Skeleton Key is relatively flawed, so its prevalence is limited.

Name Skeleton-Key, Skeleton Key
Type Malware, Trojan, keylogger
Intrusion  hackers use domain administrator credentials as a primary infection vector; alternatively, the virus can be deployed with the help of an already installed malware
Malware sample  Security researchers analyzed Skeleton Key sample that was named ole64.dll
Other elated files  ole.dll, .msuta64.dll 
Systems affected  64-bit Windows versions only 
Associated risks Loss of personal data, identity theft, loss of intellectual property, financial losses, infiltration of other malware
Removal  Get rid of the infection by using the most up-to-date anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes
Recovery Reimage Reimage Cleaner Intego can be used to fix virus damage

While Skeleton Key is a relatively primitive piece of malware and has shortcomings, its infection on the system could be devastating due to excessive information gathering, and numerous companies could face significant monetary and intellectual property losses due to it. Those infected should immediately remove Skeleton Key Trojan from their computes and networks immediately using the most up-to-date security software.

Unlike most of the modern-day malware, Skeleton Key infection requires an already compromised machine or access on the network via a malicious employer. In other cases, the Trojan can be deployed with the help of already installed malware. The analysis performed by Dell Secureworks researchers concluded[1] that Skeleton-Key needs to be familiar with the environment before the intrusion. Hackers need to have access to:

  • memory of another server on the network
  • targeted domain controllers
  • domain administrators' workstations

Once deployed, the Skeleton Key virus inserts the malicious ole64.dll file into WINDOWS\system32\ directory and uses PsExec[2] utility to launch itself remotely. Hacker's password is generated in an NTLM format rather than plain text, allowing him/her to log in as any user on the network and then move laterally. After the intrusion, the malicious DLL file is deleted from the machine.

Skeleton Key malwareSkeleton Key is a type of malware that can bypass single-factor authentication to access Windows machines and steal sensitive data

Skeleton Key weaknesses include its inability to infect 32-bit-based Windows systems and Windows server versions beginning 2012, as well as not monitoring network traffic on the host. Additionally, one of the main downfalls of the malware is that it needs to be reinstalled each time the server is rebooted in order to perform operations on the host.

According to researchers, malicious actors managed to infect multiple organizations with Skeleton Key. While the infection is relatively old, it can still be used by hackers and might also be improved to include more functions.

For Skeleton Key removal, victims need to install anti-malware software which could detect the malicious DLL file as well as its code injections into the LSASS process's memory. In the case of system malfunctions post-removal, users should scan their machines with Reimage Reimage Cleaner Intego.

Organisations should protect their networks accordingly

Security researchers reported that Skeleton Key needs to be familiar with the environment where the target computers are located. For example, a malicious employee who was bribed or contacted by hackers could access corporate computers and infect them with malware. Unfortunately, the key characteristic of the infection is stealth, and one person who is not fair is enough to compromise an entire network and compromise even the most sensitive corporate data.

Thus, security researchers advise to take countermeasures to prevent data-stealers:

  • Implement multi-factor authentication[3] methods for regular computer access, as well as remote email services and the VPN;
  • Security personnel should conduct audits that check from unexpected appearance of PsExec.exe, rundll32.exe and process arguments similar to NTLM hashes;
  • Protecting their networks with comprehensive security solutions;
  • Ensuring integrity of the employees by conducting security training sessions.

Skeleton Key imperfectionsWhile Skeleton Key lacks in persistence, it is a threat that should be ignored, as it might result in corporate data leak

Skeleton Key virus removal

Skeleton Key removal can be a real challenge as it deletes its main executable file post-infection and barely leaves any traces. However, finding these traces manually can only be done by professional IT experts. Most of the modern-day solutions should be able to track and detect the initial .dll file and even stop its further expansion. Nevertheless, for Skeleton-Key removal, users should employ anti-malware software and run a full system scan.

Note that in some cases, Skeleton key virus might not be the only threat residing on the system, as often happens with Trojans. Therefore, it is possible that anti-malware software might be stopped by those threats in the first place. If that happens, users should access Safe Mode with Networking and perform a full system scan from there. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Skeleton-Key, follow these steps:

Remove Skeleton-Key using Safe Mode with Networking

Go to Windows' Safe Mode with Networking to enable security software to work properly and remove Skeleton Key, as well as other malware:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Skeleton-Key

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Skeleton-Key removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Skeleton-Key and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

Removal guides in other languages

Your opinion regarding Skeleton-Key