Trojan.Downloader - How to remove

Trojan.Downloader is a label used by antivirus programs for a certain kind of malware. It is a trojan that downloads malware on the computer, saves it, and runs it. Trojan.Downloader is dangerous because it installs malware.

Most instances of Trojan.Downloader affect Windows computers. However, Mac, Android, and even Linux have examples of Trojan.Downloader that threaten their security.

Trojan.Downloader details:

Type of threat	Trojans that download and install other malware.
How Trojan.Downloader infects computers	Infected email attachments (documents with malicious macros), fake programs and updates promoted by misleading ads, fake installers available on file download sites.
Malware dropped by Downloaders	Adware, ransomware, spyware, banker trojans, remote access software, etc.
How to remove Trojan.Downloader	Restrict the infected computer’s internet connection, use an anti-malware program to scan the computer and remove Trojan.Downloader and any other malware (Spyhunter for PC, Combo Cleaner for Mac, Malwarebytes, others).

What is Trojan.Downloader

Definition

Trojan.Downloader, Trojan-Downloader, and Trojan/Downloader is a label and category for malicious programs used by many antivirus vendors. Trojan.Downloader is similar to Trojan.Dropper.

Trojans are malicious programs that infect computers by being disguised as safe files. Trojan.Downloader might be an infected email attachment, a bad file uploaded online, or an offer by a malicious ad that the victim downloads on their own, believing that the file is safe. Trojans spread by deceiving and manipulating their victims into installing the malware themselves.

Downloaders are malicious programs that download malware from the internet and then install and run it. Downloaders are similar to Droppers in that they infect the computer with new malware. But, unlike some Droppers, Downloaders need to access the internet to work. Downloaders might already know what malware to download, or they might be programmed to look for instructions first.

So, Trojan.Downloader infects a computer after the user is tricked into downloading a malicious file or visiting a malicious website. Then, it downloads, installs, and runs other malware. If your antivirus program stops and removed Trojan.Downloader, then it might have saved your from much bigger trouble. The Downloader might have been trying to download spyware, adware, ransomware, or any other dangerous software.

In a way, a Trojan.Downloader is not inherently harmful. It is malicious because it installs malware. And it is the malware that it installs that actually hurts the victims.

Examples

Not all files that are antivirus programs detect as Trojan.Downloader fit the definition perfectly. Some detections are not entirely accurate. Some trojans have multiple functions. It’s not always clear how to categorize malware. In some cases, Trojan.Downloader is the same as JS.Downloader and Trojan.Generic. Still, malware detections should always be taken seriously.

Malicious documents

Virustotal.com – this is an example of an infected document file, Doc. Such files may be detected as Trojan-Downloader.VBA.Agent, Trojan-Downloader.MSOffice, Trojan.VBA.Downloader, or similar. These documents contain malicious code in their macros. They trick people into allowing macros, then execute them, downloading malware.

Virustotal.com – this is a PDF. XLS (Excel files), EXE (executables), HTA (HTML-based apps), various scripts, and many other file types could be used. Even images can carry malicious code.

Some detection names for Trojan.Downloader include the name of the malware that is being downloaded, such as Downloader.Emotet and Trojan-Downloader.VBA.Emotet – Virustotal.com.

Trojan.Downloader on other operating systems

While the above examples attack Windows devices and most discussions about malware are about Windows, there are examples of macOS or OSX trojans, too. Shlayer is the most famous example of such a Trojan.Downloader – Virustotal.com. Shlayer is often disguised as Flash Player and it downloads adware.

I also saw a few examples of Linux and Android threats described as Trojan.Downloader. Antivirus vendors have categories for such malware (TrojanDownloader:Linux, Trojan.Downloader:Android, Android/TrojanDownloader, etc.) too, even if specific examples are, thankfully, scarce.

How it works

Malware dropped by Downloader

There are many types of malware that Trojan.Downloader can download:

• Spyware, Banker – programs that take screenshots, read data saved in online apps, log keystrokes, steal small files. They might also inject phishing pages into the web browser.
• Miner – uses the infected computer’s resources to make calculations for mining cryptocurrency (in this case, the attacker gets the coins).
• Clicker – uses the infected computer to perform advertising fraud by opening websites and clicking on their ads in the background.
• Adware – injects ads into the browser and changes browser settings to promote certain websites.
• Ransomware – encrypts (corrupts) files on the victim’s computer and network. Malicious actors then offer to fix the files in exchange for money.
• RAT – allows malicious actors to control the infected computer.

Trojan.Downloader may download multiple malicious programs. For example, Ransomware is often paired with Adware. A Banker may be paired with a RAT.

Many of the malicious programs dropped by Trojan.Downloader require internet access to work. If a Trojan.Downloader was detected on your computer, you should turn off that computer or at least disconnect it from the internet until you delete all the infections. Malware removal can be done offline, such as by scanning the infected drive from another computer.

Infection process

Unwanted installation

Malicious email attachments

To deliver Trojan.Downloader, infected email attachments are used often. Malicious actors create a generic email that looks like it carries important information: a bill, a document from work, an order confirmation, a personal picture, etc. However, the most important part is in the attachment. It can be of almost any file type but most likely it’s a Doc file.

Sometimes, antivirus programs detect and delete Trojan.Downloader repeatedly and constantly. Your antivirus program would show regular updates about having removed a threat. In this case, spam email is likely to be the culprit. New malicious spam being put in the inbox would trigger new malware detections.

Fake and infected installers

A file infected with Trojan.Downloader may also be uploaded on software download and torrenting sites. It is dangerous when someone expects the file they download to be detected by antivirus programs (for example, if they’re downloading a cracking tool). In this case, Trojan.Downloader could slip in without much resistance.

Trojan.Downloader may also be inside a fake software update. MacOS trojans use this method a lot, where Trojan.Downloader is disguised as a software update and then advertised online.

Automatic downloads

Malicious ads and exploit kits can automatically download Trojan.Downloader on the victim’s computer. But exploit kits work by abusing known exploits that are present in programs that are missing updates.

So, systems that don’t have new updates installed are more vulnerable to this sort of attack. Vulnerabilities can be removed by installing the updates that patch them.

Persistent malware

Some Trojan.Downloaders delete themselves after delivering the malware they were supposed to deliver.

Others remain installed and redownload malware if it is removed. Persistent trojans use clever tactics to avoid being removed. They can be very frustrating because they constantly put the computer in danger by downloading new infections.

How to remove Trojan.Downloader

Delete Trojan.Downloader

If Trojan.Downloader was detected on your computer, use an anti-malware program to remove it. Use a reputable antivirus tool that you trust. For example, Spyhunter for Windows, Combo Cleaner for macOS, Malwarebytes, and other programs. If one antivirus tool fails to detect or remove a particular Trojan.Downloader, contact the tech support of the antivirus program that you were using. Or use another program. You might need to start your computer in Safe Mode.

Stay safe

Knowing that Trojan.Downloader may have successfully downloaded and installed other malware, that malware needs to be found and deleted, too. Remove all traces of malicious items on your computer and continue to monitor it with antivirus tools.

After successfully removing Trojan.Downloader and other infections, consider changing the passwords for your online accounts. 2-step verification is also very important to turn on where possible. Even if malware was removed, if it stole any information (such as passwords saved by your browser or online apps), that info could still be abused.

Avoid future infections

To avoid Trojan.Downloader infections, the same advice as always applies:

• Programs should be allowed to install updates, if possible.
• Downloaded files should be scanned with anti-malware tools.
• Windows users should configure their operating systems to display file types.
• Malicious websites should be blocked by anti-malware programs.
• Unexpected emails should be treated with suspicion, attachments should be scanned.

Automatic Malware removal tools