Horros Virus – Remove and Restore .horros Files

Horros Virus – Remove and Restore .horros Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Horros virus is a new Hidden Tear based malware that is actively infecting computers worldwide. Read our in-depth removal guide in order to learm more about it and recover your computer.

Threat Summary

Short DescriptionThe Horros virus is a Hidden Tear based malware that encrypts the target data with .horros extension.
SymptomsThe victims will find that their files are encrypted with the .horros extension.
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by Horros


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Horros.

Horros virus – Infection Spread

The Horros virus can be distributed using various methods depending on the desired scale of attacks. The hackers can make use of the most popular strategies to infect as many targets as possible. As such one of the most popular methods is to send spam messages that include a social engineering element. The preferrred way is to send hyperlinks that lead to the Horros virus samples hosted on a hacker-controlled download page. In other cases the malware operators may attach the files to the messages. The tactics used by the Horros virus controllers are to use stolen text and graphics from well-known sites.

In the last few years we have observed two methods that utilize malware payloads. The first one is to integrate the Horros virus into documents. They can be of different types such as rich text documents, spreadsheets and presentations. Once they are opened by the victims a notification window will be spawned that asks the victims to enable the built-in scripts. When this is done the virus will be automatically loaded into the system and initiated on the victim system. The other strategy is to load the Horros virus code into software installers. The criminals take the legitimate application setup files from official vendors and modify them to include the dangerous code. The reason why this tactic has the potential to impact many users is the fact that the criminals target popular software such as games, utilities, creativity apps and productivity solutions.

Due to the fact that the virus samples can be loaded through a payload or another software browser hijackers are a popular choice. They represent malware browser plugins that are designed to redirect the victim users to a hacker-controlled page, deploy various malware (including the virus) and institute various system changes.

Other Horros virus delivery methods include web scripts such as ads, banners and pop-ups. They can be placed on legitimate sites as well through affiliate networks and other marketing services.

Horros virus – Technical Data

The Horros virus is a newly discovered threat that appears to be a strain of the HiddenTear malware family. The ongoing attack campaigns are being initiated by an unknown individual or criminal collective. Like other similar threats it uses a prescribed behavior pattern that can be modified according to the ongoing attack campaign. This means that the virus can enable or integrate certain features in one campaign and be customized with others in future ones.

The attacks can begin with an information gathering that is programmed to harvest sensitive data from the compromised systems. It can be programmed into hijacking two main types of data:

  • Private Information — This type of data can expose the victim’s identity. The malware engine is programmed into looking our for specific strings: the victims name, address, location, interest, passwords, account credentials and etc.
  • Metrics Data — Other data that can be used by the malware engine for statistical purposes. This includes the available hardware components and certain operating system values.

Once this is done the collected information ca be used to start a stealth protection module. It uses the data to scan for signatures of any applications or services that might interfere with the Horros virus execution. Examples include anti-virus solutions, sandbox environments and virtual machine hosts. Advanced versions can be configured into deleting themselves if they are unable to overcome the security measures.

Follow-up steps include various system changes that all seek to misconfigure the system and allow for further malware actions. A popular method is to modify the Windows Registry by creating new entries or modifying existing ones. When such is the case with system applications or user software the victims apps may loose some functionality or altogether stop working. Overall system performance can be impacted if the malware modifies a system-related value.

Some Hidden Tear based viruses have the ability to institute a network connection to the hacker-controlled server. It can be used to serve various other malware as well. Some connections are used in a manner similar to Trojan viruses by transmitting data in real time. They allow the hackers to spy on the victims and take over control of them at any given time.

The Hidden Tear code is modular enough to allow for additional components to be loaded both before the virus is started and during its execution.

Horros virus — Encryption Process

Once all components have completed execution the ransomware module is started. Following the well-known Hidden Tear behavior patterns it uses a built-in list of target file type extensions that are encrypted with a strong cipher. The captured strains have been found to impact the following data types:

.3dm, .7z, .7zip, .accdb, .ai, .asp, .bmp, .class, .cpp, .cs, .csv, .dat, .db, .dbf,
.doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .eps, .fla, .gif, .ico, .indd,
.jar, .java, .jpeg, .jpg, .js, .max, .mdb, .msg, .pdb, .pdf, .php, .png, .ps, .psd, .py, .rar,
.raw, .rb, .rtf, .sdf, .sql, .svg, .swf, .tif, .txt, .vcf, .wpd, .wps, .xlm, .xls, .xlsb, .xlsm,
.xlsx, .xlt, .xltm, .xltx, .xml, .zip

All victim files are renamed with the .horros extension. The ransomware engine can also create designated ransom notes with messages that attempt to coerce the victims into paying the hackers a ransom fee.

Remove Horros virus and Restore Your Files

If your computer got compromised and is infected with the Horros ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share