Virus and Spyware Removal Guides, uninstall instructions

What is "AIC Contracting" email virus?

Our team has inspected this email and concluded that it is part of a malicious spam campaign. Cybercriminals use it to distribute Agent Tesla - a Remote Administration Trojan. Their goal is to trick recipients into executing a file extracted from the malicious attachment (archive file).

What is CheckControl?

Our research team discovered CheckControl on new VirusTotal submissions. After launching this app on our test system, we found that CheckControl is an adware-type application belonging to the AdLoad malware family.

What is Xyz ransomware?

Found by our research team among new VirusTotal submissions, Xyz is a piece of malicious software within the ransomware classification. During analysis, we discovered that this ransomware encrypts data and renames the affected files.

On our test system, it appended the encrypted files with a ".xyz" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.xyz", "2.jpg" as "2.jpg.xyz", etc. Afterwards, Xyz dropped a ransom note - "_Readme_.txt" - onto the desktop.

What is Bbbw?

Bbbw is the name of yet another malicious program belonging to the Djvu ransomware family, which we have detected when reviewing new submissions to VirusTotal. Ransomware is designed to encrypt data and demand payment for the decryption; Bbbw is not an exception.

Once launched on our test machine, it encrypted files and appended them with a ".bbbw" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.bbbw", "2.jpg" as "2.jpg.bbbw", and so forth. After the encryption process was completed, Bbbw created a text file named "_readme.txt" that contained the ransom note.

What kind of malware is CABP?

CABP is ransomware that our team has discovered while analyzing malware samples submitted to VirusTotal. We found that it encrypts and renames (by appending the ".CABPRANSOM_ENCRYPTED" extension) files and displays a pop-up window containing a ransom note. The CABP ransomware was first discovered by MalwareHunterTeam.

An example of how CABP renames files: it changes "1.jpg" to "1.jpg.CABPRANSOM_ENCRYPTED", "document.txt" to "document.txt.CABPRANSOM_ENCRYPTED", and so forth.

What kind of malware is Maiv?

Our malware researchers have discovered the Maiv ransomware while analyzing malware samples recently submitted to VirusTotal. After testing the ransomware, we have learned that it belongs to the Djvu family. Maiv has three key qualities: it encrypts files, appends the ".maiv" extension to filenames, and generates a ransom note (creates the "_readme.txt" file).

Maiv renames a file named "1.jpg" to "1.jpg.maiv", "sample.png" to "sample.png.maiv", and so on. Its ransom note contains contact and payment information.

What is VirtualGuest?

Detected by our researchers on new submissions to VirusTotal, VirtualGuest is a rogue application. During analysis, we discovered this piece of software to be an adware-type app belonging to the AdLoad malware family.

What kind of page is mp3fromyou[.]tube?

Mp3fromyou[.]tube is an untrustworthy website, which our research team found when inspecting rogue advertising networks. This site offers the illegal service of converting YouTube videos (via links) to downloadable MP3 audio files.

In addition to breaking copyright laws, visiting/using mp3fromyou[.]tube also poses certain threats. This website uses rogue advertising networks, which cause redirects to other suspicious and dangerous pages. Mp3fromyou[.]tube also requests visitors to allow its browser notifications that it uses for ad spam.

What is Allcome Clipper?

Discovered by malware analyst 3xp0rt, Allcome is a clipper-type malicious program. Malware of this type targets cryptocurrencies by replacing clipboard (copy-paste buffer) data for outgoing transactions.

What is Wgbkr ransomware?

Discovered by our research team during a routine inspection on new submissions into VirusTotal, Wgbkr is a ransomware-type program.

When launched on our test machine, it encrypted files and appended their filenames with a random character string and the ".wgbkr" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.G5l-bEBAA2_yokQem-6iF0GEtBkwWQlFddPrnC-OzTX_UwuQzloTzfw0.wgbkr". This ransomware also created a ransom note named "isJD_HOW_TO_DECRYPT.txt".