WSH RAT Removal Guide

Do you know what WSH RAT is?

WSH RAT is a malicious application or a Trojan that can enter your system without any permission. Our computer security specialists say that once the threat settles in it works silently to hide its presence. Thus, it might be difficult to notice it, especially if you do not perform regular system scans. The malware is highly dangerous as it can download more infections, for example, the sample we tested downloaded a keylogger. We will explain more about the threat’s working manner and the other malicious tools it could download further in this report, so if you came here to learn more about WSH RAT, we recommend having a look at the rest of this article. In the end, you can find our prepared removal guide, which may help you get rid of the Trojan manually. Needless to say, it might be easier and safer to use an antimalware tool instead, so if you do not feel like erasing this infection manually, we encourage you to employ a reputable security tool of your choice.

According to our researchers, WSH RAT might stand for Windows Script Host remote access Trojan. Windows Script Host is an application used to execute scripts on Windows devices. Our computer security experts say that the Trojan is similar to an old RAT infection called Houdini, which was distributed through VBS scrips. As for WSH RAT, we believe it could be spread similarly, for example, as an obfuscated Javascript. It is most likely such files could be spread through Spam emails. For instance, they might be disguised as invoices or other data that would not look dangerous to potential victims. To stay safe, we encourage our readers to stay away from unreliable email attachments. An untrustworthy email attachment is a file received from an unknown sender, a file obtained with Spam, data sent with suspicious messages scarring into opening it, and so on. If you ever doubt whether a file is harmful or not, you should either avoid it or scan it with a reputable antimalware tool.

Once a victim opens a malicious file carrying WSH RAT, the malware ought to drop randomly named .js files in the %APPDATA% and %APPDATA%\Microsoft\Windows\Start Menu\Startup directories. Then the Trojan might connect to a server called doughnut-snack.live and download more malicious tools. Their launchers might be disguised as klplu.tar.gz, bpvpl.tar.gz, and mapv.tar.gz. In reality, all of the three listed files are executable, and each of them launches a different malicious tool. For example, the WSH RAT sample our specialists tested dropped a keylogger titled as AgentTesla. Such an application could be used to record various sensitive information. The other programs the malware may download work as an email credential viewer and a browser credential viewer. It would seem like the Trojan’s developers’ goal is to spy on their victims and gather various information about them.

Information about you could be used to take over your accounts, to blackmail you, to scam you, and so on. To prevent it happening, we recommend removing WSH RAT as soon as possible. To delete it manually you could try to complete our provided removal guide. Naturally, it might be easier to deal with the Trojan while using an antimalware tool, and if you like this idea better, you should not hesitate to employ a legitimate security tool. Once the system is malware-free, it would be the best time to think about what kind of information the Trojan might have been able to obtain and how to make sure that hackers cannot misuse it.

Erase WSH RAT

  1. Press Ctrl+Alt+Delete.
  2. Pick Task Manager and check the Processes tab.
  3. Locate a process belonging to the malware.
  4. Choose the process and click End Task.
  5. Exit Task Manager.
  6. Click Windows Key+E.
  7. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  8. Find a file opened when the device got infected, right-click the malicious file and select Delete.
  9. Locate these directories:
    %APPDATA%
    %APPDATA%\Microsoft\Windows\Start Menu\Startup
  10. Look for randomly named .js files, e.g., {random characters}.js (each location should contain one such file), right-click malicious files and choose Delete.
  11. Then go to %TEMP%
  12. Check for suspicious .exe or .js files with random names, right-click them if you find anything and select Delete.
  13. Exit File Explorer.
  14. Press Windows Key+R, insert Regedit and choose OK.
  15. Navigate to this path: HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run
  16. Look for a value name belonging to the Trojan, right-click it and press Delete.
  17. Close the Registry Editor.
  18. Empty Recycle bin.
  19. Restart the computer.

In non-techie terms:

WSH RAT is a Trojan that can download more malicious applications on the system to spy on the user, steal his sensitive information, and so on. Thus, it is safe to say it is best to get rid of this malware at once if you find it on your system. In case, it has been on a device for quite some time, we recommend assuming that data like login credentials typed during this time could be compromised. What we recommend is changing compromised passwords, and doing all you can to ensure hackers will not be able to misuse any information that they might have been able to obtain while WSH RAT was on your system. To eliminate the Trojan, you could try to complete the steps available in the removal guide placed above. The process might be complicated, which is why it might be easier to use a legitimate antimalware tool instead. If you have any questions, keep in mind that you can leave a message at the end of this page.