Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is RokRAT?

RokRAT is the name of a Remote Administration Trojan (RAT). Cybercriminals use RATs to access infected computers remotely and perform malicious tasks. RATs allow them to achieve almost any objective on the infected system. Usually, RATs are used to drop additional payloads (inject other malware) or steal sensitive information.

What is the 888 RAT?

888 (also known as LodaRAT and Gaza007) is a Remote Access Trojan (RAT) targeting Android operating systems. Trojans of this type enable remote access/control over infected devices.

Initially, the 888 RAT's developers offered this piece of malicious software for sale as Windows OS (Operating System) malware. In 2018 the program was presented as an Android OS RAT builder and later - as one meant for Linux OSes. However, in 2019 a variant of the Android 888 RAT became available for free.

This RAT is associated with two cyber criminal groups - Kasablanka and BladeHawk. According to ESET's researchers, the latter is responsible for a cyber-espionage campaign targeting the Kurdish ethnic group and its supporters. The 888 RAT was proliferated under the guise of legitimate apps promoted on pro-Kurd content Facebook groups.

At the time of writing, the 888 RAT spreading accounts and posts have been removed. However, other proliferators and proliferation methods are not unlikely.

What kind of page is carefully-to-remind[.]xyz?

After inspecting carefully-to-remind[.]xyz, we concluded that it is one of the deceptive websites running the "McAfee - Your PC is infected with 5 viruses!" scam. Creators of this page aim to trick visitors into believing that their computers are infected and purchasing antivirus software. Also, carefully-to-remind[.]xyz asks for permission to show notifications.

What kind of malware is Iq20?

Iq20 is ransomware that belongs to the Dharma ransomware family. It encrypts files and appends the victim's ID, iq200@tutanota.com email address, and ".iq20" extension to filenames. It also shows a pop-up window and creates the "info.txt" file containing ransom notes. We discovered Iq20 while checking the VirusTotal page for recently submitted malware samples.

An example of how Iq20 renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[iq200@tutanota.com].iq20", "2.png" to "2.png.id-9ECFA84E.[iq200@tutanota.com].iq20", "3.exe" to "3.exe.id-9ECFA84E.[iq200@tutanota.com].iq20", and so forth.

What kind of malware is Diamond?

Diamond is ransomware - malware that encrypts files to make them inaccessible until a decryption tool purchased from the attackers is used for their decryption. Also, Diamond ransomware replaces the names of encrypted files with random characters and appends the ".diamond" extension to filenames.

Additionally, Diamond drops the "HOW TO RECOVER ENCRYPTED FILES.TXT" file on the desktop. This text file contains a ransom note.

What kind of page is protection-availability[.]xyz?

While checking out suspicious websites, our researchers discovered the protection-availability[.]xyz rogue page. It runs scams, promotes spam browser notifications, and redirects visitors to different (likely unreliable/hazardous) webpages. Sites like protection-availability[.]xyz are typically accessed through others that use rogue advertising networks.

What is NativeLightning?

Our researchers discovered NativeLightning during a routine inspection of new submissions to VirusTotal. After analyzing this application, we learned that it is advertising-supported software (adware) belonging to the AdLoad malware family.

What kind of page is stally[.]click?

Stally[.]click is a rogue webpage that our research team found while investigating questionable websites. It operates by running scams, promoting browser notification spam, and redirecting users to different (likely unreliable or malicious) sites.

Pages like stally[.]click are most commonly accessed through redirects caused by sites that use rogue advertising networks.

What is NullMixer?

NullMixer is a malicious program designed to cause chain infections and, as such, is classified as a dropper. This program has been observed infiltrating a wide variety of malware into infected devices, ranging from information-stealers to loaders. It is noteworthy that NullMixer is actively spread through "cracked" software download websites.

What kind of application is AbsoluteValue?

AbsoluteValue is an untrustworthy application we discovered while inspecting deceptive websites (e.g., websites instructing visitors to update the Adobe Flash Player). While analyzing AbsoluteValue, we found that it generates unwanted advertisements. Thus, it has been concluded that AbsoluteValue is adware (advertising-supported application).