Adwind Virus

Also Known As: Adwind trojan
Type: Trojan
Damage level: Severe

What is Adwind?

Adwind is trojan-type malware that has many other names including (but not limiting to) AlienSpy, Frutas, JSocket, Sockrat, Unrecom, jRAT.

Criminals proliferate this malware in various ways such as spam emails and fake Adobe Flash Player updates. We can also assume that Adwind infiltrates systems with various adware-type programs (via the so-called "bundling" method) that feed users with intrusive advertisements and gather sensitive data.

Spam email spreading Adwind trojan:

Adwind malware

Adwind collects various data, including personal details. According to Kaspersky Lab's research, different versions of Adwind have been used against more than 440,000 private users and various commercial/non-commercial organizations (e.g., finance, shipping, software, education, and so on) between 2013 and 2016.

This trojan virus is capable of recording a wide range of information including keystrokes, saved passwords, etc., and can even record audio/video using microphones and webcams (full list of Adwind's functions). The data is transferred to a remote Command and Control server.

If a connection is unavailable or the server is not responding, the data is stored locally until the connection becomes available. As mentioned above, collected data includes many personal details that can be misused to generate revenue (e.g., criminals can use passwords to transfer money from victims' bank accounts).

In addition, cyber criminals can obtain compromising material, which can be used to blackmail victims. Therefore, the presence of the Adwind trojan can lead to financial losses and privacy issues. Fortunately, most legitimate anti-virus suites are capable of detecting and removing this malware.

Therefore, we strongly advise you to have this precautionary software installed on your computer. If you suspect that your system has been infected with Adwind, immediately perform a full system scan and eliminate all listed threats.

As mentioned above, Adwind can infiltrate the system together with potentially unwanted adware-type programs (PUPs). These programs deliver intrusive ads (coupons, banners, pop-ups, and so on) using tools that enable placement of third party graphical content on any site.

Therefore, displayed ads often conceal underlying website content, thereby significantly diminishing the browsing experience. In addition, intrusive ads often redirect to malicious websites and even execute scripts that download/install malware. Therefore, clicking them can result in high-risk computer infections. PUPs are also known to gather various information.

Although the list of collected data is typically much shorter as compared to information recorded by trojan viruses, it might still contain private details. Furthermore, PUP developers often sell collected data to third parties (potentially, cyber criminals) who generate revenue by misusing private information.

Therefore, the presence of data-tracking apps can also lead to serious privacy issues. We strongly recommend that you uninstall all adware-type applications immediately.

Threat Summary:
Name Adwind trojan (also known as AlienSpy, Frutas, JSocket, Sockrat, Unrecom, and jRAT).
Threat Type Trojan, Password stealing virus, Banking malware, Spyware
Detection Names Avast (Java:Malware-gen [Trj]), BitDefender (Trojan.GenericKD.41594129), ESET-NOD32 (A Variant Of Generik.BVQRECD), Kaspersky (HEUR:Backdoor.Java.QRat.gen), Full List (VirusTotal)
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Although Adwind collects various information, not all trojans perform this function. Some simply open "backdoors" for other high-risk malware (typically, ransomware) to infiltrate the system. Nevertheless, trojans also have other dangerous functions. In fact, some viruses that infiltrate the system via trojans can cause even more damage than Adwind itself.

For example, ransomware might encrypt stored data and proliferate itself to other computers/servers that are connected to the same network. These chain infections can result in loss of valuable data (for example, imagine all files and backups of an engineering company being encrypted).

Adware-type apps, on the other hand, typically have no major differences. By offering "useful features", PUPs attempt to give the impression of legitimacy and trick users to install, however, rather than providing any real value for regular users, adware delivers intrusive ads and records various information. Most PUPs are designed only to help developers to generate passive revenue.

How did potentially unwanted programs install on my computer?

Criminals proliferate Adwind using spam emails, fake Adobe Flash Player updates, and the "bundling" method. Spam emails typically contain malicious attachments (e.g., JavaScript files, MS Office documents, etc.) that, once opened, execute scripts designed to download and install malware, whilst fake Flash Player updates are displayed by malicious websites.

These sites essentially state that the installed Flash Player is outdated and encourages users to download an update. Rather than downloading the update, however, users end up downloading and installing malware (in this case, Adwind trojan). "Bundling" is stealth installation of rogue executables together with regular software.

In many cases, this method is used to proliferate PUPs. Developers hide "bundled" programs within "Custom/Advanced" settings (or other sections) of the download/installation processes.

Many users rush these procedures and skip steps. In some cases, "bundled" malware is concealed and, thus, no matter how carefully you analyze the entire process, you will not be able to notice it.

How to avoid installation of malware?

To prevent these infections, be cautious when browsing the Internet and downloading/installing software. We strongly advise you to immediately delete emails received from suspicious/unrecognizable addresses and certainly NOT to open files attached to such emails.

It is also highly recommended that you keep installed applications up-to-date, however, since criminals proliferate malware via fake updaters, software should be renewed using implemented functions or tools provided by the official developer only.

In addition, carefully observe each window of the download/installation dialogs and opt-out of all additionally-included programs - if you are unable to do so, cancel the entire process. We also recommend that you download your software from official sources only, using direct download links.

Third party downloaders/installers are monetized using the "bundling" method and, thus, these tools should never be used. Having a legitimate anti-virus/anti-spyware suite installed is also paramount. The key to computer safety is caution.

Rogue behavior of Adwind trojan:

  • Collecting general system and user information
  • Collecting keystrokes
  • Managing SMS (Android OS)
  • Recording audio from the microphone
  • Stealing keys for cryptocurrency wallets
  • Stealing saved passwords and grabbing data from web forms
  • Stealing VPN certificates
  • Taking pictures and recording videos from the webcam
  • Taking screenshots
  • Transferring files

Update August 20, 2019 - Adwind's developers are promoting this trojan as "Malware-as-a-Service", which means that any wannabe cyber criminal can pay a subscription fee and start using this malware to generate revenue in illegal manner.

Additionally, this malware is being continually updated and its detection-evading capabilities have significantly improved (and will improve further) since its first release.

It has also been implemented with a feature that allows cyber criminals to employ infected machine's hardware to mine various cryptocurrencies (you can find more information regarding cryptomining trojans in this article).

Update May 20, 2020 - The recent outbreak of Coronavirus (Covid-19) has given cyber criminals a huge opportunity to generate revenue. They are using various methods (e.g., fake coronavirus-relating applications, fake websites, spam emails, etc.) to spread high-risk malware. Adwind is no exception.

One of the latest Coronavirus (Covid-19) email spam campaigns used to spread Adwind malware targets customers of various banks in India. As a rule, cyber criminals pretend to be bank employees and encourage recipients to open attachments that contain the list of safety measures that should be taken.

In some cases, users are asked to fill in the attachment (typically, disguised as Microsoft Excel document) by providing information necessary to mitigate the risks. One way or another, users are encouraged to open the attachment, which is a .jar file presented as a document.

Screenshot of a Coronavirus (COVID-19)-themed spam email which distributes Adwind virus:

Coronavirus (COVID-19) spam email spreading Adwind trojan

Text presented within:

Subject: Urgent - COVID measures monitoring template


As you may be aware, a circular dated March 16, 2020 on "COVID-19- Operational and Business Continuity Measures" was issued advising UCBs to take certain measures for ensuring business process resilience and manage the risks posed by the onset and spread of the Covid 19 pandemic. Likewise, certain regulatory measures had been announced on March 27, 2020 to mitigate the burden of debt servicing brought about by disruptions on account of COVID-19 pandemic and to ensure  the continuity of viable businesses.

2. Considering the critically of the situation, you are advised to submit the information sought in Sheet 1 of the enclosed template by EOD i.e. April 6, 2020.

3. Further, informationa s per Sheet 2 of the enclosed template may be submitted as and when effects of COVID 19 settle down and operations return to normal.

4. Kindly treat this as urgent.

Madan Chawla
DoS, Manager
RBI, Nagpur

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task, usually it's better to let antivirus or anti-malware programs do it automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here's an example of a suspicious program running on user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager and identified a program that looks suspicious you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button.

Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button.

In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":


manual malware removal step 3Extract the downloaded archive and run Autoruns.exe file.

extract autoruns.zip and run autoruns.exe

manual malware removal step 4In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by Autoruns application and locate the malware file that you want to eliminate.

You should write down it full path and name. Note that some malware hides their process names under legitimate Windows process names. At this stage it's very important to avoid removing system files. After you locate he suspicious program you want to remove right click your mouse over it's name and choose "Delete"

locate the malware file you want to remove

After removing the malware through Autoruns application (this ensures that the malware won't run automatically on the next system startup) you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware be sure to remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should help remove any malware from your computer. Note that manual threat removal requires advanced computer skills, it's recommended to leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it's better to avoid getting infected that try to remove malware afterwards. To keep your computer safe be sure to install latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections we recommend scanning it with Combo Cleaner Antivirus for Windows.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Adwind trojan QR code
Scan this QR code to have an easy access removal guide of Adwind trojan on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.