Virus and Spyware Removal Guides, uninstall instructions

What kind of scam is "$SHIRO Rewards"?

During our investigation of the page (enter-shirocoin[.]com), we determined that it is a fraudulent site designed to imitate shirocoin.io. Created by scammers, its purpose is to steal cryptocurrency from unsuspecting users. Individuals should avoid interacting with the site to protect their assets and avoid financial loss.

What kind of email is "Re-Activate Your Mailbox Address"?

Our inspection of the "Re-Activate Your Mailbox Address" email revealed that it is spam. This message states that the recipient must reactivate and verify their account to prevent deactivation. Users deceived into attempting to fix this fake issue are lured into entering their email log-in credentials to a phishing website.

What is DroidBot?

DroidBot is a Remote Access Trojan (RAT) targeting Android users. It can monitor user interface, log keystrokes, and perform hidden VNC and overlay attacks. It employs dual-channel communication, sending data via MQTT and receiving commands over HTTPS for improved flexibility and resilience.

What kind of email is "Procedure To Update And Keep Your Email Password"?

After examining the "Procedure To Update And Keep Your Email Password" message, we determined that it is spam. It claims that the recipient's account password will expire soon and must be updated. The goal of this spam mail is to lure users into visiting a phishing website that targets email log-in credentials (passwords).

What kind of malware is AllCiphered?

Our researchers discovered the AllCiphered ransomware while reviewing new file submissions to the VirusTotal platform. This program is part of the MedusaLocker ransomware family. Malware within this classification encrypts data and demands payment for the decryption.

On our testing system, AllCiphered encrypted files and added a ".allciphered70" extension to their titles. Hence, an original filename such as "1.jpg" appeared as "1.jpg.allciphered70", "2.png" as "2.png.allciphered70", etc. It is noteworthy that the number in the extension might differ depending on the AllCiphered variant.

Once the encryption process was completed, this ransomware created a ransom-demanding message in an HTML file title "How_to_back_files.html".

What kind of page is overedishlear[.]com?

Overedishlear[.]com is a rogue webpage discovered by our researchers during a routine investigation of untrustworthy sites. Upon inspection, we determined that this page promotes spam browser notifications and redirects users to different (likely questionable/malicious) websites.

Most visitors enter overedishlear[.]com and similar webpages via redirects generated by sites that employ rogue advertising networks.

What kind of page is alertsphere[.]top?

While inspecting suspicious websites, our researchers found the alertsphere[.]top rogue page. It operates by promoting browser notification spam and generating redirects to different (likely unreliable/dangerous) sites.

Users primarily access webpages like alertsphere[.]top through redirects caused by websites that utilize rogue advertising networks.

What kind of malware is Zephyr Miner?

Zephyr Miner is a piece of malicious software classified as a cryptocurrency miner. This malware is designed to mine (i.e., generate) the Zephyr (ZEPH) cryptocurrency for the attackers. Zephyr Miner is a sophisticated cryptominer that exhibits anti-detection and persistence-ensuring capabilities.

What kind of malware is SMOK?

SMOK is a malicious program within the ransomware category. Malware of this kind encrypts data in order to demand payment for the decryption. Many ransomware-type programs also rename the encrypted files. There are several variants of SMOK.

This program appends the filenames of affected files with a unique ID assigned to the victim, the attackers' email address, and an extension. The extensions differ between variants; known ones include: ".SMOK", ".ciphx", ".MEHRO", ".SMOCK", and ".CipherTrail".

For example, on our test machine, the ".SMOK" variant renamed a file originally titled "1.jpg" to "1.jpg.[9ECFA84E][Smoksupport@cloudminerapp.com].SMOK". Once the encryption process was completed, SMOK created ransom notes in a pop-up window and text file named "ReadMe.txt".

What is the fake "SyncAI Wallet Connection" website?

While browsing suspicious websites, our research discovered this "SyncAI Wallet Connection" scam on blockchainmiddleware.pages[.]dev (note that it could be hosted elsewhere).

It imitates the SyncAI platform (syncai.network), yet the scheme bears no association with it or any other existing projects and entities. "SyncAI Wallet Connection" is a phishing scam that targets cryptocurrency wallet log-in credentials.