Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


RMS RAT is a Trojan that targets systems with a particular vulnerability discovered in 2017. Apparently, if the malware manages to get in, its creators could take control over an infected device. This could allow the cybercriminals behind this Trojan to install more malicious applications on a system. Also, the threat may enable hackers to access user’s files, which means it could be dangerous not only to a computer but also to its user’s privacy. Naturally, if you suspect this malicious application could be on your system, we highly recommend eliminating it as fast as possible. The instructions available below show how to remove RMS RAT manually, but if you are an inexperienced user, keep in mind, it might be easier to leave this task to a reputable antimalware tool instead. As for learning all essential details about the malware, you should continue reading this article. Plus, if you have any questions afterward, you could leave us messages at the end of this article.

First things first, our specialists believe the Trojan could be distributed through emails. It means RMS RAT’s installer could be sent to potential victims with email attachments. Needless to say, it is never a good idea to open files sent by unknown people, especially if they claim you have to open attacked data quickly or something terrible may happen. Usually, cybercriminals use this tactic to scare their victims into opening malicious launchers. Of course, the files do not have to be necessarily attached to a malicious email as they could be available through a link provided in a message.

Another thing we would recommend if you want to keep away from threats like RMS RAT is always to verify whether the sender’s line is not forged. Hackers can pretend to be working for numerous popular companies and to make it look convincing, they can come up with email addresses that might look similar to the ones used by original companies. However, if you search for the company’s contacts on the Internet, you should be able to verify whether the sender’s email address is legit or forged. Additionally, we advise taking a closer look at the message too, as sometimes malicious emails may contain grammar mistakes and similar warning signs.

Moreover, it is vital to know that even if you open a file carrying RMS RAT, it may not necessarily be able to settle in. Our researchers say that the malicious application gets in while exploiting a particular vulnerability in Microsoft Office/WordPad called CVE-2017-0199. To be more precise, this weakness was discovered only in older Microsoft Office/WordPad version that was available two years ago. The problem has been fixed since then, so anyone who updated their Microsoft Office/WordPad and does no longer use the version that was available back in 2017, should be safe. If for any reason you have not updated your system or Microsoft Office/WordPad particularly, we recommend doing it as fast as possible to make sure your computer will not be vulnerable to RMS RAT.

At this point, we should explain what could happen if the Trojan manages to enter your system. According to Microsoft’s description on the earlier mentioned vulnerability, malicious applications that successfully exploit it might be able to take control over an infected device. Thus, threats like RMS RAT might enable hackers to install new programs, create new accounts with full user rights, as well as change/view/delete files located on a system. No doubt, such actions could cause a lot of trouble for the malware’s victims, which is why it is best to remove RMS RAT as fast as possible.

It would seem the Trojan settles in by creating a randomly named .tmp file in the %HOMEDRIVE% directory and a randomly called .vbs file in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup location. The second file is needed to allow the malicious application to restart with the operating system, so rebooting a computer would not make any difference. To eliminate RMS RAT manually it is crucial to delete both of the mentioned files, and the instructions available at the end of this paragraph can tell you how to get rid of them manually. To make sure the malicious application gets deleted, we recommend scanning the system with a reliable antimalware tool of your choice. Of course, if you do not want to eliminate the threat manually, you could scan your computer with your chosen antimalware tool instead of following our provided instructions.


  1. Click Ctrl+Alt+Delete.
  2. Choose Task Manager and select Processes.
  3. Find a process belonging to the threat.
  4. Mark it and click End Task.
  5. Exit Task Manager.
  6. Click Win+E.
  7. Find this directory:
  8. Find a malicious randomly named .tmp file, right-click it, and select Delete.
  9. Locate this path:
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  10. Search for the threat’s created .vbs file with a random title, right-click it, and select Delete.
  11. Close File Explorer.
  12. Empty Recycle Bin.
  13. Restart the computer.
Download Spyware Removal Tool to Remove* RMS RAT
  • Quick & tested solution for RMS RAT removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.