WinShell Trojan Detection

critical Nessus Plugin ID 106629


The remote host has been compromised.


This host seems to be running WinShell. WinShell is a Trojan Horse which allows an intruder to take the control of the remote computer.

An attacker may use it to steal your passwords, modify your data, and prevent you from working properly.


Remove any instances of the WinShell Trojan and conduct a forensic examination to determine how it was installed as well as whether other unauthorized changes were made. Reinstall your system and restore your system from known clean backups.

Plugin Details

Severity: Critical

ID: 106629

File Name: winshell.nasl

Version: 1.3

Type: remote

Family: Backdoors

Published: 2/6/2018

Updated: 4/27/2020

Supported Sensors: Nessus

Risk Information


Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C


Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H