Virus and Spyware Removal Guides, uninstall instructions

What is GriftHorse?

GriftHorse is the name of a trojan-type malware targeting Android devices. It is designed to infiltrate systems and stealthily subscribe victims to premium-rate mobile services.

GriftHorse's campaigns are aggressive and extensive. According to Zimperium's researchers, this malware is active in over 70 countries and has infected about 10 million devices worldwide. This trojan is distributed under the guise of various innocuous-looking apps, with disguises ranging from entertainment to system improvement software.

What is PINEFLOWER?

PINEFLOWER is the name of a malware family targeting Android operating systems. Malicious programs belonging to PINEFLOWER have a wide variety of functionalities, e.g., the ability to cause chain infections (download/install additional malware), steal data, spy, and others.

Mandiant researchers have found evidence connecting PINEFLOWER to APT42, which is believed to be an Iranian state-sponsored threat actor. APT42 deals in espionage and targets individuals and organizations of interest to the Iranian government, such as reformist political groups and human rights activists.

What kind of software is Gallery?

While examining a suspicious page, we discovered an unreliable application called Gallery. After downloading and installing this app, we learned that it generates advertisements (it functions as adware). We also noticed several processes named "nwjs" running in the Task manager while the Gallery app was launched.

What is BluelightFurry?

BluelightFurry is a rogue app that our researchers found while investigating new submissions to VirusTotal. After analyzing this application, we determined that it is adware belonging to the AdLoad malware family. BluelightFurry operates by running intrusive ad campaigns, and it may also have browser-hijacking and data-tracking functionalities.

What is "Request To Terminate/Disable Your Email"?

After inspecting this email, we learned that it is sent by scammers who aim to trick unsuspecting recipients into providing personal information. The scammers behind this email are pretending to be email service providers. They use a phishing website to extract information from recipients.

What is Gaqtfpr ransomware?

Our research team discovered the Gaqtfpr ransomware-type program while inspecting new submissions to VirusTotal. We determined that this program is part of the Snatch ransomware family.

When we launched a sample of Gaqtfpr on our testing system, it encrypted files and appended their filenames with a ".gaqtfpr" extension, e.g., a file titled "1.jpg" appeared as "1.jpg.gaqtfpr", "2.png" as "2.png.gaqtfpr", etc. Afterwards, a ransom note - "HOW TO RESTORE YOUR FILES.TXT" - was created.

What kind of malware is Servidoracessobanco?

Servidoracessobanco is ransomware that belongs to a ransomware family called Amnesia. Our malware researchers discovered it while examining samples submitted to VirusTotal. The purpose of Servidoracessobanco ransomware is to encrypt files (keep them inaccessible until they are decrypted).

Additionally, it replaces filenames with a string of random characters (and appends the ".servidoracessobanco" extension to filenames) Also, it creates the "Hello.txt" file (a ransom note). An example of how Servidoracessobanco renames files: it changes "1.jpg" to "=nw3lXgPo1ARY4.servidoracessobanco", "2.png" to "sapWiTyXp0tPguY.servidoracessobanco", and so forth.

What kind of email is "Password Is Scheduled To Expire"?

"Password Is Scheduled To Expire" is yet another spam email. After inspecting this letter, we determined that it operates as a phishing scam.

This fake message notifies the recipient that their email account password is about to expire and requires immediate action (i.e., reconfirming the old password) to avoid undesirable consequences. By trusting this email - users will unintentionally expose their email accounts to scammers.

What kind of malware is Eeyu?

While inspecting malware samples submitted to the VirusTotal page, we discovered ransomware (which is part of the Djvu family) called Eeyu. It encrypts files and appends its extension to filenames. For example, Eeyu renames "1.jpg" to "1.jpg.eeyu", "2.png" to "2.png.eeyu", etc. Also, it drops the "_readme.txt" file containing a ransom note.

What kind of malware is Gnik?

Gnik is ransomware belonging to the Dharma family. Our team discovered this ransomware while inspecting malware samples submitted to VirusTotal. We found that Gnik prevents victims from accessing their files by encrypting them. It also modifies filenames and provides two ransom notes.

Gnik displays a pop-up window and generates a text file ("info.txt") containing ransom notes. An example of how Gnik renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[king2022@msgden.com].gnik", "2.png" to "2.png.id-9ECFA84E.[king2022@msgden.com].gnik". It appends the victim's ID, email address, and the ".gnik" extension to filenames.