Dont_Worry Virus – How to Remove It and Restore Encrypted Files

Dont_Worry Virus – How to Remove It and Restore Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The Dont_Worry virus is a newly discovered ransomware, part of the AMBA malware family. Read our in-depth removal guide to learn how to get rid of the infection and restore the affected data.

Threat Summary

Short DescriptionThe Dont_Worry virus is ransomware strain that originates from the AMBA malware family and can be customized to launch a variety of components against the infected users.
SymptomsThe victims may be impacted with low overall system performance and will notice that their sensitive data are encrypted by the malware engine.
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by Dont_Worry


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dont_Worry.

Dont_Worry Virus – Infection Spread

The Dont_Worry virus can be distributed using different methods according to the scope of the attack campaign and the intended targets. Usually the most convenient way is to concetrate first on one method and then start a secondary attack acting as a support. If the strain is advanced enough it can be launched simultaneously via multiple methods.

The hackers behind this particular threat can customize spam messages that infect the recipients with the virus code. This is done by inserting hyperlinks that redirect to a hosted malware instance. The other common way is to insert directly attach the virus files to the messages. The hackers use social engineering tactics that coerce the victims by taking legitimate text and graphics from well-known sites or services.

In a similar way the hackers can utilize two other related strategies that embed the Dont_Worry virus into payload carriers. The first way is to insert the virus code into documents. They can be of different types (rich text documents, spreadsheets or presentations) and spawn a notification prompt. It asks the users to enable the built-in scripts (macros), when this is done the malware engine automatically downloads the malware from a remote host and executes it onto the target system. Another tactic is to insert the code into software installers. The hackers tend to choose popular software that is often used by end users: system utilities, creativity applications and even games.

These hacker-made files are then usually distributed on various counterfeit download portals that are made to appear like the well-known famous services. It is possible to integrate links to the Dont_Worry virus via various web scripts such as banners, redirects and pop-ups.

Dont_worry virus samples can be integrated into browser hijackers. They are malware browser plugins that promise better functionality and various feature addons. Using fake descriptions, developer credentials and user reviews they can be found both on the official repositories (such as the Chrome Web Store for Google Chrome) and third-party sites. After installation the most common effect is that the victims will be redirected to a hacker-controlled site and will have altered default settings (search engine, home page and new tabs page). Such threats are usually made for the most popular web browsers: Mozilla Firefox, Google Chrome, Microsoft Edge, Internet Explorer, Safari and Opera.

Dont_Worry Virus – Technical Data

The Dont_worry virus is a newly discovered strain that belongs to the AMBA ransomware family. It appears to be a customized version that is based on code that can be easily modified and updated. This means that the hackers behind it (an individual hacker or a criminal collective) can create separate versions for each individual attack.

The infections can begin with an information gathering module that can be programmed into harvesting various kinds of data from the compromised machines. It is usually classified into two separate types:

  • Personal Data — The malware engine is programmed into harvesting strings related to the victim users. This includes their name, address, location, interests, passwords and account credentials.
  • Anonymous Data — The virus can also gather data concerning the hardware components and the installed software.

The collected information can be used to launch a separate stealth protection compoent. It is used to bypass applications that can interfere with the virus execution. This includes anti-virus tools, sandbox and debug environments and virtual machine hosts.

Further changes to the systems allow the computer criminals to cause dangerous modifications — registry changes, operating system configuration and boot options. Depending on the severity it may cause issues ranging from applications runtime problems to overall performance impact. The Dont_Worry virus may remove the possibility to enter into the boot recovery menu. Such behavior is expected if the malware attains a persistent state of execution.

Advanced configuration allows the virus to create a network connection with a hacker-controlled server. It is used to both retrieve the harvested data, as well as deploy additional threats. In some cases this connection can be used to remote control the compromised machines in a manner similar to Trojan instances.

Dont_Worry Virus — Encryption Process

Once the Dont_worry virus components have complete the built-in ransomware module is loaded. It uses a predefined list of target file type extensions which can be amended depending on the attack campaign. The captured samples have been found to act against the following data:

.$$$, .[0-9]+, .~ini, .~klt, .1cd, .1cd2, .1cl, .1ey, .1txt, .2, .2cd, .6t[0-9]*, .6tr, .7z, .7zip, .8t0, .8tr,
.9tr, .a2u, .a3d, .aad, .abd, .accdb, .adb, .adi, .afd, .ai, .als, .amp, .amr, .ans, .apc, .apk, .apx, .arc,
.arch, .arh, .arj, .atc, .atg, .ava, .avhd, .avhdx, .awr, .axx, .bac[0-9]*, .backup, .bak, .bck, .bco, .bcp,
.bde, .bdf, .bdf, .bf, .bf3, .bg, .bip, .bkc, .bkf, .bkp, .bks, .blb, .blf, .blk, .bln, .bls, .bls, .bmp, .box,
.bpl, .bpn, .btr, .burn, .bz, .bz2, .car, .cbf, .cbm, .cbu, .cdb, .cdr, .cdx, .cer, .cf, .cfl, .cfu, .cia, .cmt,
.cnc, .cpr, .cr2, .cripted, .criptfiles, .crypt, .csv, .ctl, .ctlg, .cuc, .cui, .cuix, .custom, .dafile, .data,
.db, .db[0-9]*, .dbf, .dbk, .dbs, .dbt, .dbx, .dcf, .dcl, .dcm, .dct, .dcu, .dd, .ddf, .ddt, .dfb, .dff, .dfp, .dgdat,
.dic, .diff, .dis, .djvu, .dmp, .doc, .docx, .dot, .dpr, .dproj, .drs, .dsus, .dt, .dtz, .dump, .dwg, .dz, .ect, .edb, .efd,
.efm, .eif, .elf, .eml, .enc, .enz, .epf, .eps, .erf, .ert, .esbak, .esl, .eso, .etw, .export, .fbf, .fbk, .fdb, .fdb[0-9]*,
.fi, .fil, .fkc, .fld, .flx, .fob, .fpf, .fpt, .frf, .frm, .frp, .frw, .frx, .fxp, .gbk, .gbp, .gd, .gdb, .gdoc, .gfd, .gfo,
.gfr, .gho, .ghost, .ghs, .gif, .gopaymeb, .gpd, .granit, .grd, .gsheet, .gsn, .gz, .gzip, .hbi, .hbk, .hdf, .his, .hive, .htm,
.html, .ib, .idf, .idx, .ifm, .ifo, .ifs, .ima, .img, .imgc, .imh, .imm, .indd, .info, .ipa, .ips, .irsf, .irsi, .irss, .iso,
.isz, .iv2i, .jbc, .jpeg, .jpg, .jrs, .kdc, .keg, .key, .klt, .kmn, .kpm, .kwm, .laccdb, .last, .lay6, .lbl, .ldb, .ldf, .ldif,
.ldw, .lg, .lgd, .lgf, .lgp, .lic, .lis, .lky, .lnk, .local, .lock, .lrv, .lsp, .lst, .lvd, .lzh, .m2v, .mac, .mak, .map, .max, .mb,
.mbox, .mcx, .md, .md5, .mdb, .mde, .mdf, .mdmp, .mdt, .mdw, .mdx, .meb, .mft, .mig, .mkd, .mnc, .mnr, .mns, .mod, .mov, .msf, .mtl,
.mxl, .mxlz, .mxlz, .myd, .myi, .n[0-9]*, .nag, .nbi, .nbk, .nbr, .nc, .nd[0-9]*, .ndf, .ndt, .nef, .new, .nif, .nrg, .nsf, .ntx, .nvram,
.obf, .ods, .odt, .ogd, .ok, .okk, .old, .one, .onetoc2, .ora, .ord, .ost, .out, .ovf, .oxps, .p12, .packed, .pak, .pas, .paycrypt@gmail_com, .pbd,
.pbf, .pck, .pdf, .pdt, .pf, .pfi, .pfl, .pfm, .pfx, .pgd, .pgp, .php, .pka, .pkg, .pkr, .plague17, .plan, .plb, .pln, .plo, .pm, .pml, .png, .pnl, .ppd,
.ppsx, .ppt, .pptx, .prb, .prg, .prk, .profile, .prv, .ps1, .psd, .psl, .pst, .pwd, .pwm, .px, .py, .q1c, .qib, .qrp, .qst, .rar, .rbf, .rcf, .rdf, .rec,
.rep, .repx, .req, .res, .rez, .rgt, .rk6, .rn, .rpb, .rpt, .rst, .rsu, .rtf, .rvs, .sac, .sacx, .save, .saved, .sbin, .sbk, .sbp, .scn, .sct, .scx, .sdb, .sdf,
.sdl, .sel, .sem, .sfpe, .sfpz, .sgn, .shd, .shdb, .shdl, .shs, .skr, .sln, .smf, .smfx, .sna, .snp, .sob, .sobx, .spr, .sql,
.sqlite, .sqm, .sqx, .srx, .ssd, .ssf, .ssp, .sst, .st[0-9]*, .stm, .stop, .str, .sv2i, .svc, .svp, .tab, .tar, .tbb, .tbc, .tbh, .tbi, .tbk, .tbl, .tbn, .tdb, .tgz,
.thm, .tib, .tid, .tmf, .tmp, .tmp0, .tnx, .tpl, .tps, .trc, .trec, .trn, .tst, .twd, .txt, .ua_, .udb, .unf, .upd, .utf, .v2i, .v8i, .vault, .vbe, .vbk, .vbm, .vbx,
.vct, .vcx, .vdb, .vdi, .ver, .vhd, .vhdx, .vib, .viprof, .vlx, .vmcx, .vmdk, .vmem, .vmp, .vmpl, .vmrs, .vmsd, .vmsn, .vmss, .vmx, .vmxf, .vpc, .vrd, .vrfs, .vsd, .vsv,
.vswp, .vvr, .vvv, .wallet, .war, .wav, .wbcat, .wbverify, .wid, .wim, .wnw, .wrk, .wsb, .xch, .xg0, .xls, .xlsb, .xlsm, .xlsx, .xml, .xsc, .xsd, .xstk, .xtbl, .xxx, .xz,
.yg0, .ytbl, .zip, .zrb, .zsp, .zup .БРОНЬ

It also includes an exclusion list which is composed of the following data:

.aes, .ani, .avi, .cab, .cpl, .cur, .dat, .deskthemepack, .diagcab, .diagpkg, .dll, .dmp, .docm, .drv, .exe,
.hlp, .icl, .ico, .icons, .mp3, .mp4, .msp, .msstyles, .mui, .ocx, .rtp, .settingcontent-ms, .sys, .themepack

The victim files are encrypted using the following pattern: “email_ransom-random_ID{16}”

A ransomware note is written in a text file called Dont_Worry.txt which reads the following:

Вся Ваша информация на этом компьютере была зашифрована.
Для расшифровки обратитесь по нижеуказанным контактам.
Ваш код для разблокировки: 42943870
Если Вам приходит ответ, что почтовый адрес не существует:
1. Вам не повезло. Адрес заблокировали.
Все инструкции вы получите в ответном письме.

An English version of it reads the following:

All your information on this computer has been encrypted.
To decrypt refer to the contacts listed below.
Your code for unlock: 42943870
If you receive an answer that the mailing address does not exist:
1. You are unlucky. The address was blocked.
You will receive all instructions in the reply letter.

As such example victim data can include any of the following:


Remove Dont_Worry Virus and Restore Your Files

If your computer got compromised and is infected with the Dont_Worry ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share