Varenyky virus removal guide
What is Varenyky?
Varenyky is the name of a trojan which operates as a spambot. It is known that this malicious software, if installed, records victim's screen when a website containing adult content (like pornography) is being visited. Same applies to some pages with keywords related to sex. Research shows that Varenyky mostly targets people who live in France.
It is known that to record screen Varenyky uses a downloaded FFmpeg executable. As we mentioned in our introduction, it starts recording process when a victim opens browser windows with titles that contain words such as "porn", "xxx", "sexe", "sexy", hardcore" and so on. This malware sends recorded videos to a Command and Control (C&C) server through a downloaded Tor client. It is very likely that cyber criminals who spread Varenyky might use recorded videos to blackmail people, in other words, to extract money from people using a form or blackmail called "sextortion". However, there is no information about any people who were already blackmailed and if there are any recorded videos, however, it might be only a matter of time. Another problem with Varenyky is that it used victim's computer to send spam (emails) to other people. Research shows that Varenyky sends emails to people who are customers of French ISP Orange. Received emails usually contain links that open various scam pages. For example, to pages that are designed to trick people into filling various surveys or to pages that encourage visitors to claim a prize (like iPhone X). However, it could be used to send sextortion campaigns too. Furthermore, cyber criminals can use Varenyky to download various programs on a victim's computer, for example, WebBrowserPassView or Mail PassView tools that could be used to steal passwords of browser and email accounts. Having such accounts stolen might lead to serious privacy problems, cyber criminals might get access to personal, sensitive emails that contain valuable, important information. If there is a reason to suspect that a computer is infected with Varenyky, then this spambot trojan should be removed from the system immediately.
|Threat Type||Trojan, Spambot, Screen recorder|
|Hoax||Cyber criminals send email that supposed to contain some invoice or bill.|
|Detection Names (53949248_facture-1.doc)||Arcabit (Trojan.Generic.D276ECFE), BitDefender (Trojan.GenericKD.41348350), ESET-NOD32 (VBA/TrojanDownloader.Agent.OAW), Kaspersky (HEUR:Trojan-Downloader.MSOffice.SLoad.gen), Full List (VirusTotal)|
|Payload||Varenyky might be used to install WebBrowserPassView or Mail PassView tools that could be used to steal passwords.|
|Symptoms||Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.|
|Distribution methods||Infected email attachments, malicious online advertisements, social engineering, software cracks.|
|Damage||Stolen banking information, passwords, identity theft, victim's computer added to a botnet.|
To eliminate Varenyky spambot our malware researchers recommend scanning your computer with Spyhunter.
Typically, people download and install programs like Varenyky unintentionally, in most cases they are being tricked into it. Unfortunately, Varenyky is not the only trojan out there, other examples are GozNym, HawkEye, TrickBot. Typically, cyber criminals use them to extract money from people or to generate revenue in any other way. For example, by stealing various logins, passwords, personal data and other sensitive details.
How did Varenyky infiltrate my computer?
It is known that cyber criminals distribute Varenyky through spam campaigns, they send emails with malicious files attached to them. One of the examples is a Microsoft Word document that is disguised as some bill ("facture") or invoice. Once opened, it asks for a permission to enable macros commands. Typically, MS Office documents do not enable them without user's permission. However, if such permission is given, then malicious document downloads and installs Varenyky spambot. However, since Varenyky targets people from France, it checks if the language configured in Windows is French. If not, then the attachment does not install any malicious software.
How to avoid installation of malware?
To avoid installation of Varenyky, it is required not to open files that are attached to irrelevant emails. In our example the file is named "53949248_facture-1.doc", however, the attachment which is used to spread Varenyky could have different names. One way or another, if an email is sent from unknown address, its context is irrelevant and it contains some attachment, then it should be ignored. Additionally, we recommend to use Microsoft Office versions that were created in (or after) year 2010. These versions have the "Protected View" mode which prevents installations of malware. If you believe that your computer is already infected, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.
Malicious attachment distributing Varenyky:
Text presented in this document:
Ce document est protÈgÈ par Microsoft Word et nÈcessite une verification humaine.
Veuillez suivre les Ètapes suivantes.
1. Naviguez vers le message ìMode protÈgÈî et cliquez sur ìActiver la modificationî.
2. Une fois cette Ètape faite cliquez ensuite sur ìActiver le contenuî dans la mÍme zone pour lire ce document confidentiel, si vous ne voyez pas ce message cliquez sur "Activer les macros".
Screenshot of Command and Control server used by cyber criminals who distribute Varenyky:
Instant automatic removal of Varenyky spambot:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Varenyky spambot. Download it by clicking the button below:
- What is Varenyky?
- STEP 1. Manual removal of Varenyky malware.
- STEP 2. Check if your computer is clean.
How to remove malware manually?
Manual malware removal is a complicated task, usually it's better to let antivirus or anti-malware programs do it automatically. To remove this malware we recommend using Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here's an example of a suspicious program running on user's computer:
If you checked the list of programs running on your computer, for example using task manager and identified a program that looks suspicious you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run Autoruns.exe file.
In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure click the "Refresh" icon.
Check the list provided by Autoruns application and locate the malware file that you want to eliminate.
You should write down it full path and name. Note that some malware hides their process names under legitimate Windows process names. At this stage it's very important to avoid removing system files. After you locate he suspicious program you want to remove right click your mouse over it's name and choose "Delete"
After removing the malware through Autoruns application (this ensures that the malware won't run automatically on the next system startup) you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware be sure to remove it.
Reboot your computer in normal mode. Following these steps should help remove any malware from your computer. Note that manual threat removal requires advanced computer skills, it's recommended to leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it's better to avoid getting infected that try to remove malware afterwards. To keep your computer safe be sure to install latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections we recommend scanning it with Spyhunter for Windows.