Short bio

Trojan.Kovter is Malwarebytes’ detection name for a family of malware that has many faces and targets Windows systems.

Type and source of infection

The main variants of Trojan.Kovter are aimed at performing ad fraud and are hard to detect and remove, as they use fileless infection methods.

Kovter usually arrives in mail attachments as a Macro in a Word document file. When activated, the Macro downloads a file that creates a PowerShell command stored in the registry to gain persistence. Then the randomly named file deletes itself.


Malwarebytes protects users from Trojan.Kovter by using real-time protection.

block Trojan.Kovter

Malwarebytes blocks Trojan.Kovter

Home remediation

Most of the time, Malwarebytes can detect and remove Trojan.Kovter without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get startedbutton.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

In some cases, Malwarebytes Anti-Rootkit BETA is needed to find and delete the malicious registry key.

Business remediation

How to remove Trojan.Kovter with the Malwarebytes Nebula console

You can use the Malwarebytes Anti-Malware Nebula console to scan endpoints.

endpoint menu Nebula endpoint tasks menu

Choose the Scan + Quarantine option. Afterwards you can check the Detections page to see which threats were found.

Nebula detections

On the Quarantine page you can see which threats were quarantined and restore them if necessary.

Nebula Quarantaine

Select your language