Virus and Spyware Removal Guides, uninstall instructions

What is Contract Agreement email virus?

In most cases, cybercriminals behind malspam campaigns impersonate legitimate companies, organizations, or other entities. They send emails that have some malicious file attached to them or contain a website link designed to download a malicious file.

Usually, their emails are disguised as important, urgent letters containing an invoice, purchase order, or some other document. In one way or another, their goal is to trick recipients into downloading and opening a malicious file designed install malware on the operating system.

This malspam campaign is used to distribute Agent Tesla, a remote access trojan (RAT).

What is MMTA?

Ransomware is a form of malware that encrypts files and keeps them inaccessible unless a ransom is paid to the cybercriminals behind the attack. Usually, it encrypts files, modifies their filenames and displays a ransom note (or creates a file containing a ransom demanding message).

MMTA belongs to the Matrix ransomware family. This ransomware variant renames files by replacing their filenames with the morganbel23@yahoo.com email address, a string of random characters and appending the ".MMTA" extension.

For example, it renames a file named "1.jpg" to "[MorganBel23@yahoo.com].rZwor6yC-1TB2nfBH.MMTA", "2.jpg" to "[MorganBel23@yahoo.com].yLipe4tB-3OM4hbKF.MMTA", and so on. It creates the "#MMTA_README#.rtf" file as its ransom note.

What is the yourfirmif[.]biz site?

Yourfirmif[.]biz is a rogue website, which shares many similarities with tinhisearsh.club, centralheat.net, undwouldm.biz, and thousands of others. It operates by presenting visitors with dubious content and/or redirecting them to untrustworthy/malicious sites.

Users rarely enter webpages of this type intentionally; most get redirected to them by intrusive advertisements or installed PUAs (Potentially Unwanted Applications). These apps can infiltrate systems without user permission.

Following successful installation, PUAs can cause redirects, run intrusive advertisement campaigns, and collect browsing-related information.

What is the "Account Missing Or Incomplete" scam email?

"Account Missing Or Incomplete email scam" is the name of a phishing spam campaign. The term "spam campaign" defines a mass-scale operation during which thousands of deceptive emails are sent.

The letters distributed through this campaign - claim that recipients' email accounts require an update due to missing/incomplete information. This spam campaign aims to promote a phishing website disguised as an email account sign-in page.

Information entered into this site is recorded and sent to the scammers behind these letters, thereby allowing them to steal the corresponding email accounts.

What is the tinhisearsh[.]club site?

Similar to centralheat.net, undwouldm.biz, thatthereis.biz, and thousands of others, tinhisearsh[.]club is a rogue website. This site is designed to load dubious content and/or redirect visitors to untrustworthy/malicious webpages.

Users typically access such websites via redirects caused by intrusive adverts or installed PUAs (Potentially Unwanted Applications). This software can infiltrate systems without user permission.

PUAs operate by causing redirects, running intrusive advertisement campaigns, and collecting browsing-related and sensitive data.

What is DELTA?

Ransomware is a type of malicious software that prevents victims from accessing their files by encrypting them and generates a note demanding ransom payment. DELTA ransomware belongs to the ransomware family called Dharma. It is common that malware of this type renames encrypted files by appending its extension.

DELTA renames files by appending the victim's ID, delta@onionmail.org email address, and ".DELTA" extension to their filenames. For example, it renames a file named "1.jpg" to "1.jpg.id-1E857D00.[delta@onionmail.org].DELTA", "2.jpg" to "2.jpg.id-1E857D00.[delta@onionmail.org].DELTA". DELTA displays a pop-up window and creates the "DELTAinfo.txt" file as its ransom notes.

What is the Douarix ransomware?

Douarix is the name of a ransomware-type program from the VoidCrypt malware family. This malicious program operates by encrypting data (rendering files inaccessible) and demands payment for the decryption (access recovery).

During the encryption process, files are renamed according to this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims, and the ".Douarix" extension.

For example, a file initially titled "1.jpg" would appear as something similar to "1.jpg.[DouariX@tutanota.com][MJ-MI6098514372].Douarix" - following encryption. After this process is complete, ransom notes - "Decrypt-me.txt" - are dropped into affected folders.

What is the Blocking (Aleta) ransomware?

Blocking is an updated variant of the Aleta ransomware. This malware is designed to encrypt data and demand payment for the decryption tools. In other words, victims cannot access files affected by Blocking (Aleta) ransomware, and they are asked to pay - to recover access to their data.

During the encryption process, files are appended with the cyber criminals' email address and the ".blocking" extension. For example, a file originally titled something like "1.jpg" would appear as "1.jpg.[avalona.toga@aol.com].blocking" - following encryption.

After this process is complete, ransom notes - "!#_READ_ME_#!.inf" - are dropped into compromised folders. Additionally, this malicious software changes the desktop wallpaper.

What is centralheat[.]net?

Typically, web pages like centralheat[.]net are promoted via questionable advertisements, other untrustworthy websites, potentially unwanted applications (PUAs). In other words, it is very uncommon for pages like centralheat[.]net to be visited by users on purpose.

When visited, they open a couple of other questionable sites or load their content - it depends on the visitor's geolocation. It is worthwhile to mention that PUAs can be designed to collect various data and (or) generate advertisements.

What is Paas?

Ransomware is designed to make files inaccessible by encrypting them. As a rule, malware of this type renames files and generates a ransom note (or multiple ransom notes) as well.

Paas ransomware belongs to the ransomware family called Djvu. It renames encrypted files by appending its extension (".paas") to their filenames.

For example, it renames a file named "1.jpg" to "1.jpg.paas", "2.jpg" to "2.jpg.paas", "sample.jpg" to "sample.jpg.paas", and so forth. Like most ransomware variants, it creates a text file as its ransom note - Paas creates the "_readme.txt" file.