Microsoft Visual Studio and BackDoor.Dandle.5


Initially, this mini-investigation was published on peek-a-boo, but having received a response from the audience, reading diagonally, having no constructive and loving only cats, did not understand my message (although the post was written in a light style), I decided to share it here, while cutting out the “water and adding data.


  1. Found BackDoor.Dandle.5 in ServiceHub.RoslynCodeAnalysisServiceS.exe which is a component of MS VS 2019.

  2. Reported to Microsoft Support.

  3. Taken to work with the promise of feedback and clarification of the circumstances.

  4. Ticket closed after a week due to “Phishing attempt via feedback form”.

  5. For two months, I again tried to reach out to support, but I simply did not receive a response.

How it all began

On a typical weekday evening, sipping coffee and thinking about the next task, I find a connection to the desktop and interception of cursor control.

In a hurry, I turn off the Wi-Fi connection and start thinking. Antimalwarebytes was silent as a fish, and the Windows logs did not record anything suspicious. That evening, I wished that there was no traffic analyzer at all (and I hadn’t thought about the need for it before).

Problem Analysis

First of all, the Dr.Web cureit! cleaner was downloaded from another computer! and launched for scanning.

The result surprised me: BackDoor.Dandle.5 was found in the ServiceHub.RoslynCodeAnalysisServiceS.exe file. Which is a component of Microsoft Visual Studio 2019 IDE version 16.11.21

Scan result

Scan result

After reading information about this disease, the question arose whether this problem could be widespread or limited only to me. Unfortunately, the Internet did not give me an answer to this question, so this analysis was given in the office and the results were obtained, unfortunately disappointing.

One of the scan results of office PCs

One of the scan results of office PCs

Version "infected" studios

Version of the “infected” studio

In the vast majority, in versions 16.11.16, 16 11.18, 16.11.21, the problem occurred, and in versions 16.11.09 and below, the problem was not observed, other versions were not checked.

No backdoor was found in MS VS 2012 and 2022, this was confirmed by several caring peekaboo users, as well as MS VS 2019 version 16.11.05


Unfortunately, it was not so easy to solve it, there are several reasons for this:

1) the backdoor is detected by the cleaner only when the IDE itself is running and an attempt to check it on Virustotal is unsuccessful, even the doctor himself is silent

2) An attempt to kill him, move him, replace him with uninfected files, was unsuccessful, he objected again and again like a phoenix.

Only a complete rollback to version 11.16.09 helped, I don’t consider it ideal, but, unfortunately, I no longer had the strength to fight it.

Contacting support

Usually we are accustomed to scold those. support of our services, but those. Microsoft’s support with its attitude was able to kill even the berries.

Firstly, it is carried out strictly by subscription, if you have a community, then most likely you won’t even be able to write to anyone, you can see for yourself or I don’t know what.

Then it was decided to log in from the side of the absence of an account login, since when I tried to log in, I threw out an error 715-123150.

After a couple of days, the work of the cabinet really recovered, but they refused to name the reason for its blocking, left it on their conscience and tried to find out the source of the main problem

Then everything is standard, we asked for details:

The letter described in detail the detection steps, the methods of struggle that I tried to use, and also attached to the infected files attached, the operator was warned. Strange began further when, with some periodicity, I began to receive messages that the ticket would be closed, due to the lack of details on my part.

As it turned out, with every attempt to send a file, for some reason, letters from Microsoft flew to the spam folder, that the letter was not delivered, due to suspicious files in the letter.

Then I requested alternative ways to send files, but I was added to the white list and after that the letter was delivered to the final recipient.

The information was sent, we are waiting for the result and .. after a while we get a letter of happiness that the ticket was closed due to “phishing attempt when using the feedback form.”

I have not experienced such surprise and resentment for a long time. Then there were many attempts to dispute, contact support, including through the chat on the official website and find out at least something.

I will not give all the messages, I wrote to different addresses, both as part of one letter with copies indicated, and separately.

As you understand, since the article is here, the problem is relevant and I would like to share it, as well as get more results.


I would like to understand the scale or lack of it.

For this, I kindly ask all concerned comrades, if possible, to take a little time and check their IDEs and, if the problem is really widespread, then find a method to solve it, since we are unlikely to get help from technical support.

Answers to frequently asked questions:

1) the home computer and the office network are neither physically nor virtually connected, the infection option between them is impossible;

2) the office has a sandbox, ME and other means of protection, but as I said earlier, a virus can only be detected during debugging (and sometimes when the IDE is running).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *