Virus and Spyware Removal Guides, uninstall instructions

What is AROS ransomware?

While looking through new malware submissions to VirusTotal, our researchers discovered the AROS ransomware-type program. Once we executed a sample of it on our test machine, this ransomware began encrypting files.

The filenames of the affected files were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".ARS" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.[5d3e178db8].[luckyguys@tutanota.com].ARS". Afterwards, AROS created a ransom note - "How_to_decrypt_files.txt" - on the desktop.

What kind of page is ivonch[.]click?

We examined ivonch[.]click and found that this page promotes the "McAfee - Your PC is infected with 5 viruses!" scam. Also, it asks for permission to deliver notifications. Ivonch[.]click is a deceptive page that should be ignored and never allowed to show notifications.

What kind of page is catchlucksurvey[.]top?

Catchlucksurvey[.]top is a rogue website that was discovered by our researchers during a routine inspection of dubious pages. It promotes deceptive material, pushes spam browser notifications, and redirects visitors to different (likely untrustworthy/harmful) sites.

Users typically enter webpages akin to catchlucksurvey[.]top through redirects caused by sites using rogue advertising networks.

What is LegendDeploy?

Our researchers discovered the LegendDeploy rogue application while inspecting new submissions to VirusTotal. Following installation on our test machine, this app operated as adware. It is noteworthy that LegendDeploy is part of the AdLoad malware family.

What kind of application is Dark Reader for Chrome?

Dark Reader for Chrome is a browser extension promoted as a tool enabling users to use a dark theme for all websites. While testing this app, our team found that it displays annoying/intrusive advertisements. Apps that show ads are classified as adware. It is uncommon for adware to be downloaded and installed on purpose.

What kind of malware is Backshow?

Backshow is the name of ransomware that our malware researchers discovered while inspecting samples submitted to the VirusTotal. It encrypts files and appends the victim's ID, mail-backshow@my.com email address, and a random three-character extension to filenames. Also, it drops a ransom note (the "Restore_Your_Files.txt" file) on the desktop.

An example of how Backshow ransomware modifies filenames: it renames "1.jpg" to "1.jpg_[ID-ZKIDJ_Mail-backshow@my.com].NCA", "2.png" to "2.png_[id-2qhon_mail-backshow@my.com].ZO8", and so forth.

What is Buybackdate ransomware?

Buybackdate is a ransomware that our researchers found while checking out new submissions to VirusTotal. This malicious program belongs to the ZEPPELIN ransomware family.

After we executed a sample of Buybackdate on our test system, it encrypted files and appended their names with a ".bbd2.[victim's_ID]" extension. Therefore, a file on our test machine titled "1.jpg" appeared as "1.jpg.bbd2.1FE-964-099", and so on for all of the compromised files.

Following the completion of this process, Buybackdate dropped a ransom-demanding message - "ALL YOUR FILES ARE ENCRYPTED.txt" - onto the desktop.

What kind of page is lifetimedesktopdefence[.]online?

lifetimedesktopdefence[.]online is one of the deceptive websites designed to trick visitors into purchasing antivirus software. We examined this site and learned that it runs the "Norton Security - Your PC might be infected with viruses!" scam. Our team discovered lifetimedesktopdefence[.]online while inspecting shady websites and advertisements.

What is "Werth Messtechnik" email virus?

After investigating this email, we found that it is written by cybercriminals who seek to trick recipients into infecting their computers. This email is disguised as a letter from the Werth company regarding payment confirmation. Threat actors use this email to lure recipients into opening a malicious attachment.

What is "Norton - Your Phone May Be Receiving Many Spam Texts"?

While investigating suspicious websites, our researchers found one running the "Norton - Your Phone May Be Receiving Many Spam Texts" scam. It is presented as an alert from the Norton anti-virus. The fake notification warns that the visitor's phone may be receiving spam and all data might be lost from their computer - if they do not take action.

It must be emphasized that this scam is in no way associated with either the Norton AntiVirus or its developer - NortonLifeLock.