LookBack Removal Guide

RATs (remote access Trojans) are pretty common, and so we are not surprised to learn about LookBack, a new RAT that appears to have a very specific target. According to research, this malicious infection is most likely to go after US-based utility companies. Needless to say, the suppliers of electricity, gas, water, and other utilities can be severely affected by successful cyber attacks, and, in turn, the users of these utilities might be affected too. That, of course, depends on the severity of the attack and whether or not the cyber criminals behind it manage to mess with the production or supply chains within the affected companies. The biggest issue with this malware is that once it performs in an intended fashion, it can remove itself, which means that the victim might never find out what exactly had happened. Hopefully, the malicious Trojan does not start invading the systems of regular users, but if it does, we have a few tips that should help you protect your system and delete LookBack successfully.

In July of 2019, LookBack was attacking US-based utility companies, but no one knows what is on the minds of cyber attackers, and we have a sneaking suspicion that they might try to attack companies in an entirely different sector in the future. Governments could be under attack as well, and regular Windows users must not ignore the threat either. In the past, LookBack exclusively used spam emails to spread, and that is what we recommend being most cautious about. The attackers behind the threat were even able to create a domain that resembles one of a legitimate company to trick the targeted users. NCEES stands for National Council of Examiners for Engineering and Surveying, and, without a doubt, it is a trusted and respected organization. The attackers know it, and that must be why they created nceess.com. This is the domain that is attached to the email address that the attackers use to send a misleading message. Whatever the message is and whatever the address is, the goal is to trick the recipient into opening a corrupted file. Most likely, it would be a .DOC file, and the victim would be asked to enable macros upon opening it. If you receive such an email, delete it immediately.

If the victim is tricked into opening macros, LookBack is executed without anyone’s notice. It is dropped to the %PUBLIC% directory, from where it can initiate malicious processes. The threat is pretty powerful as it can move and click the mouse or take screenshots to gather sensitive information. It also can create and delete files, view processes, and execute commands. Furthermore, it can reboot the infected machine and eventually remove itself. LookBack uses a proxy mechanism for C&C communication, and that ensures that it can receive commands remotely. Without a doubt, this Trojan is a dangerous weapon, and if cyber criminals employ it successfully, it could be used to leak highly sensitive data that could help overtake systems remotely or jeopardize the reputation of the affected company. The infection could also mess with the production and supply chains within the company, which, of course, could have a negative impact on a much larger scale.

It is hard to say how the victims of LookBack would discover this malicious threat, but routine system scans are most likely to be successful. Of course, if the threat deletes itself before the scan is conducted, it might remain an incognito attacker. Unfortunately, the effects of this malware can be detrimental to the reputation of the company, as well as the wellbeing of its financial state and even the security of its employees or customers. If the threat is detected, needless to say, it must be eliminated as soon as possible. To remove LookBack, you might need to remove malicious files from the %PUBLIC% directory, as well as the launcher file concealed as a document file. The guide below shows the main steps that must be performed, but do not think that manual removal is your only option. In fact, it is better if you install anti-malware software that can delete the malicious threat automatically because this software also can ensure full-time protection against dangerous malware in the future.

How to delete LookBack

1. Simultaneously tap Win+E keys to launch Windows Explorer.
2. Enter %PUBLIC% into the field at the top.
3. Delete all malicious files (their files are random, and so you must be careful when identifying them).
4. Find and Delete the .doc file that executed the malicious threat.
5. Empty Recycle Bin once you think that all malicious files are deleted.
6. Install and run a reliable malware scanner to check for potential leftovers.