Virus and Spyware Removal Guides, uninstall instructions

What is BTC (VoidCrypt) ransomware?

BTC is the name of a malicious program belonging to the VoidCrypt ransomware family. Our research team discovered this ransomware-type program while inspecting new submissions to VirusTotal.

After executing a sample of BTC (VoidCrypt) ransomware on our test system, we learned that it encrypts files and alters their filenames.

The names of the compromised files were appended with a unique ID assigned to the victim, the cyber criminals email address, and a ".BTC" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.(MJ-FP9085364721)(RansomwareSupport@ZohoMail.com).BTC".

Once the encryption process was completed, a ransom note - "unlock-info.txt" - was created on the desktop.

What kind of software is DigitalFile?

While inspecting untrustworthy pages, our team discovered an advertising-supported application called DigitalFile. After examination, we concluded that the purpose of DigitalFile is to display annoying (and untrustworthy) advertisements. It is highly advisable not to have this app installed on the operating system.

What kind of page is notfcompreviews[.]com?

Notfcompreviews[.]com is a website that displays deceptive content (uses a clickbait technique) to trick visitors into agreeing to receive notifications from it. It is uncommon for such pages to be visited intentionally. Our team has discovered notfcompreviews[.]com while examining pages that use rogue advertising networks.

What kind of malware is Fdcv?

Fdcv is ransomware that encrypts files and appends the ".fdcv" extension to filenames. Also, it creates a text file ("_readme.txt") that contains a ransom note. Our malware researchers have discovered Fdcv while analyzing the samples submitted to the VirusTotal website. They also found that Fdcv belongs to a ransomware family called Djvu.

An example of how files encrypted by Fdcv are renamed: "1.jpg" is renamed to "1.jpg.fdcv", "2.png" to "2.png.fdcv", "3.exe" to "3.exe.fdcv", and so forth.

What kind of page is solidprotectionspc[.]com?

Our research team found the solidprotectionspc[.]com rogue webpage while inspecting unreliable sites. This page operates by promoting deceptive content, pushing browsing notification spam, and redirecting visitors to other (likely untrustworthy/malicious) websites.

Users typically enter these webpages through redirects caused by sites using rogue advertising networks.

What is TURKEY ransomware?

While inspecting new malware submissions to VirusTotal, our researchers found a new malicious program called TURKEY, which is based on Chaos ransomware.

We acquired a sample from VirusTotal and launched it onto our test system. We learned that the TURKEY ransomware encrypts files and appends their filenames with an extension consisting of four random characters. For example, a file initially titled "1.jpg" appeared as "1.jpg.di0h", "2.png" as "2.png.tlfh", and so on for all of the compromised files.

Once the encryption process was completed, a ransom note - "read_it.txt" - was created, and the desktop wallpaper was changed.

What is PowerShell RAT?

PowerShell RAT is the name of a Remote Access Trojan (RAT) written in PowerShell. The term PowerShell refers to a Microsoft Windows program designed for task automation and configuration management (i.e., product functionality, performance, and attribute establishment and maintenance).

The trojan in question is based on this program, and it can execute PowerShell commands. In general terms, RATs operate by creating remote access and control over affected devices.

It is noteworthy that the PowerShell RAT has been actively leveraged against German users seeking information regarding the War in Ukraine.

What kind of malware is SaintStealer?

During our routine malware research, we discovered an information stealer called SaintStealer. We found that this information-stealing malware targets credentials and system information. All gathered information is sent to a Command and Control server. SaintStealer is written in the C# programming language.

What kind of page is webnotificationservices[.]com?

Webnotificationservices[.]com is a rogue webpage that our research team discovered while inspecting untrustworthy sites. It is designed to push browser notification spam and redirect visitors to other (likely unreliable/malicious) websites. Most users enter such webpages via redirects caused by sites that use rogue advertising networks.

What kind of email is "The list of the problem"?

We have examined this email and found that cybercriminals use it to deliver malware. Their goal is to trick recipients into opening the attachment (a malicious file). We are not certain what malware threat actors behind this malspam campaign are distributing, but there is reason to believe it is Agent Tesla RAT.