Remove Varenyky Trojan (Spambot) and Stop Sextortion

Remove Varenyky Trojan (Spambot) and Stop Sextortion

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.33 out of 5)

Update September 2019.
Varenyky is a dangerous Trojan with spyware functionalities which also operates as a spambot. Security researchers believe that the Varenyky spambot is currently under heavy development meaning that it is going to evolve. At the heart of the Varenyky spambot operation is sextortion. The Trojan is designed to steal passwords, and spy on victims’ screen via FFmpeg when they watch adult content.

Varenyky also communicates with its command and control server via Tor, and the spam that activates the operation is sent via email.

Threat Summary

TypeTrojan, Spambot
Short DescriptionVarenyky is a Trojan and a spambot that is currently distributed via phishing and spam emails.
SymptomsThe victims may not experience any apparent symptoms of infection.
Distribution MethodSpam emails and phishing.
Detection Tool See If Your System Has Been Affected by Varenyky


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Varenyky.

Varenyky Trojan and Spambot – Distribution Methods

According to WeLiveSecurity researchers, the Varenyky Trojan is currently targeting France, and more specifically, the users of Orange S.A., a French ISP. The main distribution channel of the spambot is phishing emails. The researchers came across a spam campaign that redirected to a survey and a bogus smartphone promotion. However, another campaign is relying on sextortion principles, and is spying on the victim’s screen while they are visiting adult websites.

One of the malicious documents that is distributing Varenyky is attached in an email states that a bill of €491.27 is available. Upon opening the supposed bill, the victim will be notified that the document is protected by Microsoft Word and needs human verification. In other words, the victim is prompted to enable macros.

It is curious to note that the macro detected in this Word document is using the function Application.LanguageSettings.LanguageID() to obtain the language ID of the victim’s computer.

This ID contains the country and the language set by the user. The script checks if the value returned is 1036 in decimal (or 0x40C in hexadecimal) and according to the Microsoft documentation this value corresponds to France and the French language,” WeLiveSecurity researchers explained.

Related: 4 Reasons Why You Receive Sextortion and Other Email Scams

Varenyky Trojan – Technical Overview

As already mentioned, the Varenyky Trojan is currently targeting French victims via fake invoices in the form of Microsoft Word documents that prompt them to enable macros. When the potential victim opens the document and the macro is executed, the operation makes sure that the user is indeed French. If the victim is of other nationality, the malware operation ceases. If the French origin is confirmed, the malware will communicate with its command and control server to determine what components to download. Varenyky also installs a piece of software that steals passwords and spies on victims via FFmpeg when they are watching pornographic content online.

The Varenyky Trojan can also detect specific “trigger” keywords of sexual nature as well as websites (such as YouPorn, PornHub, and Brazzers. When any of these keywords is caught, the malware will record the computer’s screen via an FFmpeg executable. The recorded content is then sent to the command and control server. Obviously, the reason for recording the victim’s screen under these specific circumstances is sextortion and blackmail. It is also highly possible that Varenyky will be used in highly targeted campaigns.

Remove Varenyky Trojan

If your computer system got infected with the Varenyky Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it gets the chance to spread further and infect other computers. Consider removing the Trojan immediately, and follow the step-by-step instructions available below.

Note! Your computer system may be affected by Varenyky and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of Varenyky.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Varenyky follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Varenyky files and objects
2. Find files created by Varenyky on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share