Virus and Spyware Removal Guides, uninstall instructions

What is Dharma (.WHY)?

Discovered by Raby, Dharma (.WHY) is a malicious program, which is part of the Crysis/Dharma ransomware family. Systems infected with this program have data encrypted and users receive ransom demands for decryption.

When Dharma (.WHY) encrypts, compromised files are renamed following this pattern: original filename, victim's unique ID, cyber criminals' email address and the ".WHY" extension. For example, a file such as "1.jpg" would appear as "1.jpg.id-1E857D00.[mr.crypteur@protonmail.com].WHY" after encryption.

Once this process is complete, a text file ("FILES ENCRYPTED.txt") is created on the desktop and a pop-up window is displayed.

What is Parrot?

Parrot is malicious software belonging to the Dcrtr ransomware family. It operates by encrypting data and demanding payment for decryption tools. When Parrot malware encrypts, all affected files are appended with the developer's email address and the ".parrot" extension.

For example, a file such as "1.jpg" might become similar to "1.jpg[cryptonationusa@protonmail.com].parrot". After this process is complete, a ransom message ("ReadMe_Decryptor.txt") is dropped onto the desktop.

What kind of malware is Ragnar Locker?

Ragnar Locker is ransomware-type software designed not only to encrypt data but also to terminate installed programs (such as ConnectWise and Kaseya), which are commonly used by managed service providers and various Windows services. This ransomware renames encrypted files by appending an extension, which contains "ragnar" and a string of random characters.

For example, it will rename a file named "1.jpg" to "1.jpg.ragnar_0DE48AAB", and so on. It also creates a ransom message with a text file, the name of which contains the same string of random characters as the appointed extension. In this case, the ransom message would be named "RGNR_0DE48AAB.txt".

What is "Flash Player Update Download New Version"?

"Flash Player Update Download New Version" is a deceptive pop-up displayed by various scam websites. When sites running this scam are accessed, visitors are offered download/installation of fake Flash Player updates. Note that bogus updaters are commonly used to infiltrate systems with untrusted or malicious content.

The "Flash Player Update Download New Version" scheme has been observed promoting browser hijackers (e.g. SearchMine) and adware (e.g. MediaDownloader and MyCouponsmart) via fake update installers, however, other dubious or malicious software (e.g. trojans, ransomware, etc.) might also be installed through these bogus updates.

The updaters promoted by "Flash Player Update Download New Version" often originate from the Bundlore family. Most visitors to deceptive/scam web pages access them inadvertently through redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already installed on the system.

What is Razor?

Discovered by dnwls0719, Razor is part of the Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (rendering them unusable/inaccessible), modify filenames, create ransom messages and change desktop wallpapers.

Razor renames files by appending the ".razor" extension to filenames. For example, it renames "1.jpg" to "1.jpg.razor", and so on. It also creates a ransom message within a text file named "#RECOVERY#.txt". This file contains instructions about how to contact Razor's developers (cyber criminals) and other details.

What is "Dear user, congratulations!"?

"Dear user, congratulations!" is one of many scam websites used to trick visitors into believing that they have won a prize, can receive a gift, and so on. In this particular case, visitors are informed that they have won a mobile telephone and can claim it by completing a survey.

As with many other scams, however, this one attempts to deceive visitors into providing personal information. People are also asked to transfer a small sum of money. We strongly recommend that you ignore these websites and, more importantly, do not provide any information.

What is Getprizes?

Getprizes is a group of scam websites. Their behavior is varied, yet these sites are primarily designed to display deceptive content and/or generate redirects to other scam pages.

It has been noted that "Dear Chrome User, Congratulations!" and "Latest version of Adobe Flash Player" scams are commonly promoted by Getprizes web pages, however, it is possible that other untrusted or malicious websites can be accessed through Getprizes.

Typically, visitors to these web pages do not access them intentionally - they are redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the system.

What is "PETRONAS Email Virus"?

PETRONAS is a spam campaign that cyber criminals spread to infect recipients' computers with LokiBot, a trojan-type malicious program. They send emails with attached archive files (RAR) that contain malicious executables. Cyber criminals behind the PETRONAS spam campaign attempt to trick people into executing the file, which then installs LokiBot.

This program steals various personal, sensitive information. Therefore, do not to trust this email - ignore the message and delete it.

What is mpgun[.]com?

The mpgun[.]com website allows users to download videos from YouTube and convert them to MP3 and MP4 formats. In fact, it is illegal to download videos from YouTube.

Furthermore, mpgun[.]com employs rogue advertising networks. In summary, this website displays dubious advertisements and opens untrusted, potentially malicious websites. Therefore, avoid this site and do not use it to download or convert videos.

What is Bhacks?

Discovered by malware researcher Raby, Bhacks is a malicious program categorized as ransomware. It operates by encrypting data and demanding payment for decryption tools/software. During the encryption process, all affected files are renamed following this pattern: "Lock.", original filename, and the ".bhacks" extension.

For example, "1.jpg" would appear as "Lock.1.jpg.bhacks", and so on for all compromised files. After this process is complete, the wallpaper of the desktop is changed and a ransom message (within "200 dollars.txt") is created.