Microsoft security software detects and removes this threat.

This threat can download other malware onto your PC.

Find out ways that malware can get on your PC.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

TrojanDownloader:Win32/Onkods is a small executable, usually between 6kB and 25kB in size, that downloads and runs other malware. 

We have seen it distributed with the file name IMG<10 digits>-JPG.scr, for example IMG1337019400-JPG.scr.

When run, TrojanDownloader:Win32/Onkods contacts a server, from which it can download other malware files. The file is saved to either %TEMP%, or the directory where Win32/Onkods is running from.

It then runs the downloaded file.

Examples of servers contacted by Win32/Onkods include:


We have seen Win32/Onkods downloading the following malware families:

Analysis by David Wood


The following could indicate that you have this threat on your PC:

  • You have this file:
    IMG<10 digits>-JPG.scr


Alert level: Severe
First detected by definition: 1.177.1634.0
Latest detected by definition: 1.177.1634.0 and higher
First detected on: Jul 04, 2014
This entry was first published on: May 07, 2014
This entry was updated on: May 08, 2014

This threat is also detected as:
  • Trojan/Win32.FakeAV (AhnLab)
  • Trojan.Win32.Badur.hgka (Kaspersky)
  • W32/Dloader.AH!tr (Fortinet)
  • Trojan.Win32.Badur (Ikarus)
  • Mal/DwnLdr-AH (Sophos)