Vidar malware. How to remove? (Uninstall guide)
Vidar is a dangerous data-stealer that collaborates with other threats to create a deadly malware mix
Vidar is a devastating type of computer infection that not only steals most sensitive information but also infects with GandCrab 5.0.4 ransomware
Vidar malware is a Trojan that belongs to an info-stealing type of computer threats. The virus is capable of harvesting a variety of information, including web browsing history, cookie IDs, cryptocurrency wallet data, comprehensive technical details of the device, messaging content, various credentials, screenshots, etc. Vidar was first discovered in late October 2018, although the closer analysis was performed in January when the virus was spotted being distributed together with the notorious GandCrab 5.0.4, although other malware can be downloaded as a secondary payload – it all depends on the configuration inputs used by hackers. Vidar malware mostly uses malicious advertisements in the combination of the Fallout[1] or GrandSoft exploit kits to propagate and can be bought on the black market for around $700.
| Name | Vidar malware |
| Type | Trojan/Info-stealer |
| Functionality | Steals a variety of sensitive information, delivers a secondary payload, communicates with C&C server |
| Distribution | Fallout and GrandSoft EK, malertising |
| Secondary payload | GandCrab 5.0.4 ransomware |
| First discovered | October 2018 |
| Programming language | C++ |
| Similar threats | AZORult, Zeus, Panda Banker, LokiBot Emotet |
| Termination | Use reputable security software like Malwarebytes MalwarebytesCombo Cleaner |
| Recovery | We recommend using Reimage to to recover from virus damage |
Initially, researchers believed that Vidar malware was actually a string of Arkei virus.[2] However, the in-depth analysis showed that it is in fact Vidar, which was closely related to the former, as differences between the two were relatively small. Nevertheless, the impact of the info-stealing capabilities is still huge, and those infected should immediately remove Vidar malware from their computers.
Vidar malware authors use exploit kits to infiltrate the virus into the system. The malicious ads are usually hosted on poorly-regulated torrent or video streaming websites. As soon as the victim clicks on the location-based ad, the Fallout or GrandSoft EK (however, the former is more popular – it accounts for more than 70% of total infections) is launched. If successfully exploited, users will find themselves infected with Vidar malware, along with GandCrab, or possibly other strings.
Once Vidar malware establishes itself on the system, it harvests a variety of information, such as:
- Cookie ID;
- Browser history of Google Chrome, Internet Explorer, Mozilla Firefox, Safari, Tor, etc.;
- Screenshots;
- Detailed technical data;
- Two-factor authentication software data;
- Loader settings;
- Crypto-wallet info;
- Notifications from various messaging apps;
- Various credentials, etc.
The aggregated data is then compiled into a file information.txt and sent off to a Command & Control server controlled by hackers. During the data-stealing process, Vidar malware launches several DLL files, including msvcp140.dll, mozglue.dll, softokn3.dll, vcruntime140.dll, and others.
Once Vidar virus completes the data-stealing procedure, it will then load GandCrab 5.0.4 ransomware which will encrypt all personal data and demand the ransom for file decryptor. Nevertheless, the official tool was released by BitDefender recently,[3] and it can recover all the encoded data for free.
Due to the fact that ransomware is a rather “noisy” infection, it is practically impossible to fail to notice it; users will be concentrated on the secondary payload, not noticing that their credit card details, along with a large amount of other sensitive data are being stolen. For that reason, the damage Vidar malware can cause is probably as, or even more, destruction than that of a secondary payload.
Nevertheless, after Vidar malware removal, users should take extra steps to recover from the attack: change all passwords, contact the bank to check for illegal transactions, and also scan the device with such tools like Reimage to make sure that no malicious components are left.
Select 'Safe Mode with Networking'
Select 'Enable Safe Mode with Networking'
Select 'Safe Mode with Command Prompt'
Select 'Enable Safe Mode with Command Prompt'
Enter 'cd restore' without quotes and press 'Enter'
Enter 'rstrui.exe' without quotes and press 'Enter'
When 'System Restore' window shows up, select 'Next'
Select your restore point and click 'Next'
Click 'Yes' and start system restore
Update your software to avoid exploitation and install security application
Exploit kits are one of the more sophisticated malware infection methods used by cybercriminals. An exploit kit is basically a piece of software that serves hackers as a tunnel which allows exploitation of vulnerabilities in software like Adobe Flash, Java, Drupal, and even Windows operating system itself. All users have to do is visit a compromised site that hosts the kit, and the malicious payload will be delivered automatically via the flaw.
To avoid such course of events, users should always make sure that all their software is updated with the latest security patch, especially Windows updates, as they often include major patches for Adobe and similar vulnerable software. Thus, make sure your operating system is set to update itself automatically.
Other updates, such as Java or Adobe Flash can also be set to be updated automatically. Alternatively, users can download them from official sites. Be aware that hackers often abuse Flash player updates to install malware, so never download any fake updates that might pop-up on compromised websites.
Another way to protect yourself from exploits is by employing anti-exploit engines that can prevent the vulnerability from being abused. Many vendors include this functionality, so make sure you choose the one that has it.
Terminate Vidar malware together with its secondary payload immediately
Vidar, considering its sophisticated infection methods and the inclusion of the secondary payload, is possibly one of the most devastating infections. It can bring not only to stolen money from the bank account, but also identity theft, and personal file loss due to ransomware. The recovery process of such infection might be complicated, but first, you have to take care of Vidar malware removal.
To accomplish that, you need to make sure you download and install powerful security software that can remove Vidar virus, along with any other malware that could have been established with it. Download a security application and then enter Safe Mode with Networking, as explained below.
Once you terminate Vidar malware, make sure you use the decryptor by BitDefender[4] if your files got locked by GandCrab.
To remove Vidar malware, follow these steps:
Remove Vidar malware using Safe Mode with Networking
To remove Vidar malware, enter Safe Mode with Networking as follows:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove Vidar malware
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Vidar malware removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove Vidar malware using System Restore
System Restore might also be useful when dealing with malware infection:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of Vidar malware. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Vidar malware and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes
About the author
If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
References
- ^ Fallout Exploit Kit: A deep dive into the exploit kit’s campaigns distributing various malware strains. Cyware. Real Time Cyber Security Products and Alerts.
- ^ fumiko. Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis). Fumik0. Malware analysis.
- ^ Jake Doevan. Bitdefender decryptor saves over $2M for Gandcrab victims in 48 hours. 2-spyware. Cybersecurity news and malware research.
- ^ Bogdan Botezatu. New GandCrab v5.1 Decryptor Available Now. Bitdefender. Security blog.