Home News Stories 2014 May International Blackshades Malware Takedown Could Your Computer Be Infected by Blackshades?

Could Your Computer Be Infected by Blackshades?

Could Your Computer Be Infected by Blackshades?

Here’s a list of possible indicators that your computer may be infected with Blackshades or similar remote access tool malware:

  • Mouse cursor moves erratically with no input from user;
  • Web camera light (if equipped) unexpectedly turns on when web camera is not in use;
  • Monitor turns off while in use;
  • Usernames and passwords for online accounts have been compromised;
  • Unauthorized logins to bank accounts or unauthorized money transfers;
  • Text-based chat window appears on your computer’s desktop unexpectedly;
  • Computer files become encrypted and ransom demand is made to unlock files.

Blackshades malware affects Microsoft Windows-based operating systems. If you believe you or someone you know may have a computer that is infected with this malware, search the computer’s hard drive for the following files that are known to be present on Blackshade-infected computers:

  • dos_sock.bss
  • nir_cmd.bss
  • pws_cdk.bss
  • pws_chro.bss
  • pws_ff.bss
  • pws_mail.bss
  • pws_mess.bss

To perform the above check, click the Start menu and type each file name in the search field. If the search yields positive matches for one or more of these files, the computer may be infected with Blackshades.

In addition to the above files being added to the computer’s hard drive, Blackshades also makes modifications to the Windows registry. The exact location may vary depending on the verson of the Microsoft Windows you’re using, but the following registry subkey is added:

  • Computer\HKEY_CURRENT_USER\Software\VBandVBA Program Settings\SrvID\ID\[string of letters and numbers]

To perform a check for this registry modification, take the following steps:

  1. Click the Start menu.
  2. Type “regedit” in the search field.
  3. Execute the Registry Editor (regedit.exe). If prompted, select “Yes” to allow the program to make changes to the computer.
  4. Select “Edit” from the window toolbar.
  5. Select “Find” from the Edit menu.
  6. Type “SrvID” in the Find field.


Anyone who performs the above checks and gets positive results is encouraged to submit a complaint to the FBI’s Internet Crime Complaint Center. Please include the term “Blackshades” in the incident description section of the complaint.

And for assistance on removing Blackshades, please contact your Internet service provider, your antivirus software company, or another computer security professional.

(Back to story)