What is LookBack?

A few utility companies in the US received phishing emails back in July. It is now known that the attacks were set up to spread LookBack, a malicious remote access Trojan (RAT) capable of deleting files, executing commands, and stealing information. It is possible that the threat could target companies in different sectors next, and that is why it is important to look at it closer. Without a doubt, systems that are infected with this malware need to be cleaned as soon as possible. Here at Anti-Spyware-101.com, we focus on the removal of malware, and while we can show how to remove LookBack, it is just as important to discuss the activity of malware and the overall security of the operating system. If you are interested in this, please continue reading, and do not forget that you can always share your questions in the comments area below.

How does LookBack work?

Trojan.LookBackRAT is spread using misleading email messages. On at least one occasion, the attackers behind this malware tried impersonating the NCEES (National Council of Examiners for Engineering and Surveying), and they even created a similar-looking domain name (nceess[.]com) to trick the recipients of the bogus messages into thinking that they are real. The goal behind these messages is to convince the victim to open an attached file. Visually, this file looks like a harmless Microsoft Word file (.doc), and so most recipients are unlikely to think that opening it could be risky. The problem is that once the file attachment is clicked, the target is asked to enable macros. This VBA macros is used to install and run the malicious LookBack Trojan, and so macros must NOT be enabled. Macros should be disabled by default, so that pop-ups asking to enable it would be shown. That is a precautionary measure. When a pop-up shows up asking to enable macros, the user needs to think very carefully if the file is harmless and if the sender can be trusted. If the scam works, malware is executed, and serious havoc can be wreaked before it is removed.

According to our research team, once LookBack is executed, it should be installed in the %PUBLIC% directory. From here, the malicious Trojan can check for running processes, read file data, delete files, run commands sent using C&C communication (C&C host is, capture screenshots, control the mouse, and, eventually, remove itself from the machine. Essentially, LookBack is used to spy on users, and once it gathers all of the intended data, it can disappear. That way, the victims might remain unaware about the attack and the leak of sensitive information. Unfortunately, the successful invasion of this malware can be detrimental to the affected company. For example, if cyber attackers manage to obtain sensitive information, their customers and partners could lose trust, the company’s functionality could halt, and, of course, money could be lost as a consequence. Furthermore, after the attack, the affected company might have to spend lots of money to overhaul security systems and implement necessary security tools. Due to this, it is most important to prevent malware from invading the system in the first place.

How to remove LookBack

LookBack is a vicious infection that can enter without notice, create a huge mess, and then remove itself. Theoretically speaking, this malware could be undetected, and the victims might suffer consequences without ever finding out the cause. Although this Trojan is known to have targeted US-based utility companies specifically, the targets of cyber criminals could change, and it is always possible that regular users could fall under fire as well. Therefore, whether you are an individual home user or an employee at a large company, you need to take appropriate security measures to prevent malware from slithering in. Since this Trojan specifically uses spam emails to enter systems, our best advice is to stay away from suspicious and unexpected email messages. It is also extremely important to employ reliable anti-malware software that could ensure reliable protection against malicious threats. Install this software now if you suspect that malware has invaded your system. It will automatically delete LookBack.

Removal Instructions

  1. Locate the .doc file that the attackers use to conceal the infection.
  2. Right-click and Delete the malicious file.
  3. Tap Win+E keys to launch Windows Explorer.
  4. Enter %PUBLIC% into the quick access field at the top.
  5. Right-click and Delete all suspicious files.
  6. Empty Recycle Bin and then quickly perform a full system scan to check for Trojan’s leftovers. 100% FREE spyware scan and
    tested removal of LookBack*

Leave a Comment

Enter the numbers in the box to the right *