Virus and Spyware Removal Guides, uninstall instructions

What is SARS-CoV-2?

Discovered by Jirehlov, SARS-CoV-2 is malicious software categorized as ransomware. This malware is designed to encrypt data and demand payment for decryption. When it encrypts, all affected files are appended with the ".SARS-CoV-2" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.SARS-CoV-2" following encryption. After this process is finished, a text file ("RECOVER MY ENCRYPTED FILES.TXT") containing the ransom message is dropped into every compromised folder.

What is Void?

Void (also known as VoidCrypt) is a malicious program classified as ransomware. Systems infected with this malware suffer data encryption and users receive ransom demands for file decryption. When this ransomware encrypts, all affected files are renamed according to this pattern: original filename, cyber criminals' email address, unique ID and the ".Void" extension.

For example, a file like "1.jpg" would appear as something akin to "1.jpg.[stevenxx134@gmail.com][ID-X2VBE84A6PZNQKW].Void" following encryption. After this process is complete, a ransom message is displayed in a pop-up window via the "Decryption-Info.HTA" file, which is dropped into every compromised folder.

What is PonyFinal?

Discovered by Jirehlov, and like many other programs of this type, PonyFinal is designed to block access to files by encryption, change their filenames and generate ransom messages. It renames each encrypted file by appending the ".enc" extension to the filename.

For example, it renames "1.jpg" to "1.jpg.enc", "2.jpg" to "2.jpg.enc", and so on. This ransomware drops a text file ("README_files.txt") containing a ransom message in every folder that contains encrypted files.

What is SystemSpecial?

SystemSpecial is a rogue app, classified as adware. It enables the placement of various intrusive ads on any visited website. Additionally, this application has capabilities typical of browser hijackers. SystemSpecial modifies browser settings and promotes Safe Finder via akamaihd.net.

Due to the app's dubious proliferation methods, it is also classified as a Potentially Unwanted Application (PUA). Most PUAs can track browsing-related data, which is also likely to be the case with SystemSpecial.

What is the "COVID-19 Part Time Employment Email Virus"?

There are many cases whereby cyber criminals attempt to take advantage of the Coronavirus (COVID-19) crisis by sending fraudulent emails. In this case, they spread an email with a file attached, which supposedly contains a list of employees who violated quarantine orders.

Scammers encourage recipients to open the attached file and check if they are on the list. If they do this, however, the file will install Agent Tesla, a Remote Access Tool (RAT), which is used to steal sensitive information. Therefore, whoever receives this email is strongly advised to leave the contents unopened.

What is Bug ransomware?

Bug ransomware was discovered by Jirehlov. Software of this type usually encrypts files, appends an extension to the filenames and creates and/or displays ransom messages. Bug renames encrypted files by adding the bugbugo@protonmail.com email address and appending the ".bug" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.[bugbugo@protonmail.com].bug", "2jpg" to "2.jpg.[bugbugo@protonmail.com].bug", etc. It also places a file containing the ransom message ("Read_Bug.html") in every folder that contains encrypted data.

What is the "COVID 19 HELP DESK" email?

"COVID 19 HELP DESK" is the subject of a scam email designed to proliferate the Agent Tesla Remote Access Trojan (RAT).

This message attempts to exploit the Coronavirus/COVID-19 pandemic, claiming that the recipient has been chosen to receive a large sum of money from The World Health Organization (WHO) and United Nations (UN) to provide necessities for low-earning local individuals.

Additionally, this deceptive message asks recipients to provide their personal information. The Agent Tesla malware infection and the information extorted through the phishing attempt can be misused in a variety of ways and lead to especially severe issues.

What is ProgressSite?

ProgressSite is designed to serve advertisements, promote the Safe Finder web page via akamaihd.net, and collect sensitive information. Commonly, users download and install adware such as ProgressSite inadvertently. Therefore, these apps are categorized as potentially unwanted applications (PUAs). You are advised to uninstall all PUAs immediately.

What is "DHL Relief Email Virus"?

A popular way to spread malware is by sending emails that contain malicious attachments and/or website links that download rogue files. In most cases, these emails are disguised as important, official messages from well-known companies.

In this case, the scam is disguised as a message from DHL regarding 'relief materials' to organizations from the World Health Organization (WHO). Scammers behind this email attempt to trick recipients into opening an attached file, which is designed to spread Agent Tesla, a remote administration tool (RAT).

What kind of malware is Eject ransomware?

Eject belongs to the Phobos ransomware family. It encrypts files, changes their filenames, displays a pop-up window and creates a text file. Eject renames encrypted files by adding the victim's ID, cynthia-it@protonmail.com email address and appending the ".eject" extension to their filenames.

For example, it renames a file named "1.jpg" to "1.jpg.id[1E857D00-2833].[cynthia-it@protonmail.com].eject", "2.jpg" to "2.jpg.id[1E857D00-2833].[cynthia-it@protonmail.com].eject", and so on. Both the pop-up window ("info.hta") and text file "info.txt" contain instructions about how to contact Eject's developers and various other details.