WSH RAT Removal Guide

Have you recently opened a suspicious email message sent to you by your bank, a delivery courier, or some other company? WSH RAT could have slithered in if you have done that. Needless to say, legitimate and reputable companies have nothing to do with this malware, but the attackers know very well how to manipulate careless computer users. Without a doubt, you want to be very cautious whenever you receive any email message. If there is anything suspicious – for example, you are asked to confirm a transaction you never made or confirm a delivery of a product you never ordered – it might be best to remove the email message without thinking about it twice. You certainly do not want to open links or attachments sent to you via phishing/spam/scam emails because that is how malware could slither in. Hopefully, you do not need to delete WSH RAT from your operating system, but if its existence has been confirmed already, you want to get rid of this malware ASAP.

The misleading email message used for the distribution of WSH RAT is meant to trick you into following a href link represented via an attachment. This link automatically pushes to download a .zip archive, and this kind of activity is definitely suspicious. If you do not suspect a scam, the moment that you download the archive, the dangerous infection is executed, but, of course, you are not supposed to realize it. The RAT – which, by the way, stands for “remote access tool” – has a payload that is dropped to %APPDATA% and %APPDATA%\Microsoft\Windows\Start Menu\Startup folders. A point of execution (PoE) is created in HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run. The names of the payload file and the PoE are random, and so identifying and removing these components manually can be difficult for the inexperienced users. Speaking of the infection’s components and structure, it is important to note that WSH RAT appears to be a modified version if the infamous Houdini RAT, also known as Hworm. Also, WHS stands for “Windows Script Host,” which is a legitimate application that executes scripts on Windows.

Although the files of WSH RAT are malicious and require removal, it is the additionally retrieved files that we need to be most cautious about. According to our research team, the infection silently connects to doughnut-snack.live and downloads klplu.tar.gz, bpvpl.tar.gz, and mapv.tar.gz files, which are disguised .exe files. These represent a keylogger (e.g., AgentTesla), a mail credential viewer, and, finally, a browser credential viewer. These files are incredibly dangerous for your virtual security because they can be used to extract and leak sensitive information. Clearly, the RAT is primarily used for the theft of credentials. Do you understand how dangerous that is? If the attackers steal your passwords, usernames, and other login data, they could easily hijack your online accounts and impersonate you. This could be used to spread malware amongst your friends and colleagues, gain access to servers, databases, and networks, as well as steal large amounts of sensitive data. Without a doubt, this would be most detrimental if WSH RAT manages to hijack accounts belonging to large companies or government agencies. Unfortunately, we do not know who the target of the infection is, as many different actors could be behind it. That is because the RAT is on sale, and anyone can purchase it for 50 US Dollars per month.

Even if you do not think that you need to remove WSH RAT from your operating system, we strongly advise scanning your operating system using a legitimate malware scanner. If you confirm that you need to remove this dangerous remote access tool, you need to check for the keylogger and other malicious threats as well. Without a doubt, it is a smart move to install an automated anti-malware tool in this situation because it can quickly delete WSH RAT and every single additional threat. If you decide to do it manually, note that you are in for a challenge. The RAT itself and the downloaded components use random names to make it more difficult to find and identify them. Furthermore, no one can guarantee that the malicious infection could not try to slither into your operating system again, which is why implementing reliable security software is strongly recommended.

How to delete WSH RAT

1. Tap Win+E keys to access Explorer.
2. Enter %APPDATA% into the field at the top.
3. Delete the malicious {unique name}.js file.
4. Enter %APPDATA%\Microsoft\Windows\Start Menu\Startup into the field at the top.
5. Delete the malicious {unique name}.js file.
6. Enter %TEMP% into the field at the top.
7. Delete malicious {unique name}.js and {unique name}.exe files (the number of files is unknown).
8. Exit Explorer and then access Run by tapping Win+R keys.
9. Enter regedit into the dialog box and click OK.
10. In Registry Editor, move to HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run.
11. Delete the malicious {unique name} value linked to the %APPDATA%\{unique name}.js file.
12. Empty Recycle Bin and then immediately perform a full system scan using a reliable malware scanner.