Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Worry?

Worry is one of the ransomware variants belonging to the Phobos family. It encrypts data, modifies filenames of all encrypted files, and creates two ransom notes ("info.hta" and "info.txt"). Our malware researchers discovered Worry while checking the VirusTotal for recently submitted samples.

Worry ransomware appends the victim's ID, d0ntw0rry@cyberfear.com email address, and the ".worry" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.id[1e857d00-2994].[d0ntw0rry@cyberfear.com].worry", "2.png" to "2.png.id[1e857d00-2994].[d0ntw0rry@cyberfear.com].worry", and so forth.

What is kind of email is "Contract Document"?

We have examined this email and concluded that it is sent by scammers who aim to trick recipients into providing sensitive information on a phishing website. It is disguised as a letter regarding some contract document shared with recipients. This email should be marked as spam and deleted.

What kind of malware is Demon?

Demon is the name of an information stealer. It is a rebranded version of the Luca stealer. Demon is written in Rust programming language. It exfiltrates stolen sensitive information via Telegram. This malware should be eliminated from infected computers as soon as possible.

What kind of malware is Sunjun?

Sunjun is ransomware that encrypts files and modifies their filenames. Also, it drops the "Read.txt" text file to provide contact information. Sunjun is part of the VoidCrypt ransomware family. We discovered it while examining malware samples submitted to VirusTotal.

Sunjun appends the victim's ID, sunjun3412@mailfence.com email address, and ".Sunjun" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.[CW-AR9583604271](sunjun3412@mailfence.com).Sunjun", "2.png" to "2.png.[CW-AR9583604271](sunjun3412@mailfence.com).Sunjun", and so forth.

What kind of website is authenticguarding[.]com?

We have inspected authenticguarding[.]com and learned that it displays deceptive messages to trick visitors into believing that their computers are infected. Authenticguarding[.]com runs the "McAfee - Your PC is infected with 5 viruses!" scam. This site uses deceptive marketing to promote legitimate software.

What kind of page is expocaptcha[.]top?

While examining expocaptcha[.]top, we have found that it shows a deceptive message to trick visitors into agreeing to receive notifications. We have discovered expocaptcha[.]top while inspecting pages that use shady advertising networks. Users do not visit sites like expocaptcha[.]top on purpose.

What kind of malware is Black Hunt?

Black Hunt is ransomware that blocks access to files by encrypting them, modifies filenames of all encrypted files, changes the desktop wallpaper, and drops "#BlackHunt_ReadMe.hta" and "#BlackHunt_ReadMe.txt" files (ransom notes).

Black Hunt appends the victim's ID, sentafe@rape.lol email address, and the ".Black" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.[nnUWuTLm3Y45N021].[sentafe@rape.lol].Black", "2.png" to "2.png.[nnUWuTLm3Y45N021].[sentafe@rape.lol].Black", and so forth.

What kind of malware is Magic?

While examining samples submitted to VirusTotal, our malware researchers discovered Magic ransomware. We have found that this ransomware belongs to the Phobos family. Magic encrypts data, and appends the victim's ID, midnight@email.tg email address, and the ".magic" extension to filenames.

Also, Magic drops two ransom notes: "info.hta" and "info.txt". An example of how Magic renames files: it changes "1.jpg" to "1.jpg.id[9ECFA84E-3437].[midnight@email.tg].magic", "2.png" to "2.png.id[9ECFA84E-3437].[midnight@email.tg].magic", and so forth.

What kind of page is venadvonline[.]com?

We have examined venadvonline[.]com and found that it is a shady website designed to lure visitors into allowing it to show notifications. Venadvonline[.]com uses a clickbait technique to receive permission to show notifications. Also, venadvonline[.]com redirects to other untrustworthy web pages.

What is "TESCO Loyalty Program" pop-up scam?

We have examined this scam and determined that it is a survey scam used to trick visitors into providing personal information and (or) transferring money. The page running this scam is disguised as a survey held by Tesco - a groceries and merchandise retailer. People who fall for such scams never receive any prizes.