Remove VIDAR Trojan (Virus Removal Guide)

What you need to know about Vidar Trojan

Contents

What you need to know about Vidar Trojan
- What are the capabilities of Vidar
- Threat Summary
How this Trojan infects computers
- How prevalent is Vidar Trojan?
- What to do to prevent Trojan infection
Remove VIDAR Trojan Securely

Vidar Trojan, also referred to as Vidar InfoStealer, is a malicious computer virus created by rogue developers for criminal purposes. Its basic function is to steal vital personal information contained in any computer it infects. First noticed in December 2018, the Trojan is nowadays often distributed alongside one of the most prevalent ransomware families known as STOP/DJVU.

Vidar InfoStealer is available as a tool for wannabe cybercriminals via dark web forums. Reportedly, its price ranges between $250-$700. Therefore, offenders who want to make use of it can purchase it and distribute it in any way they prefer or pack it with other computer threats.

Those behind this Trojan created it for criminal purposes, particularly to steal sensitive information such as saved passwords, IP addresses, cryptocurrency wallets, browsing history and even covertly obtain desktop screenshots etc. In addition, it has options that can enable cybercriminals to steal specific information according to their target. One of such options is known to release a ransomware-type of infection called GandCrab 5.0.4. The Trojan will eventually identify all the data it stole in a text file and compile them in a ZIP file before transmitting to their Command and Control server.

The worrying aspect of Trojans like Vidar is that they can stealthily infiltrate a computer system, and the user would probably have no clue about their existence. However, their presence in any computer can lead to severe losses such as bank funds, cryptocurrency wallets, account passwords, invasion of privacy, and possible blackmail threats. Therefore, if for any reason your suspect that this threat has infected your computer, then you must remove VIDAR Trojan as soon as you can.

There are other data-stealing Trojans you should be wary of, such as AZORULT, FORMBOOK, HANCITOR etc. This category of Trojans is often spread through malicious email spam campaigns. They are deceptively hidden in emails as attachment and are triggered once an unsuspecting computer user opens them.

What are the capabilities of Vidar

Although Vidar originally came into existence in the last quarter of 2018, this malware is still very active nowadays. It has so far proven capable of infiltrating a wide range of data such as user credentials, system information and browser data, among others, which is exactly the set of functionalities that cybercriminals look for. It is known to generate three distinct files for the purpose of storing browser credentials as well as email credentials from any system it compromises. Vidar belongs to a family of malware that are notorious for their information stealing ability and also functions as an enabler for ransomware deployment.

The diverse data it usually extracts from any computer system it infects include the following:

Computer name;
Machine ID and GUID;
Current user name;
Operating system;
Hardware information;
Display resolution;
Network information;
Keyboard language;
Compilation of installed software.

This specific Trojan communicates with the criminals’ C&C server and received configuration data from there. The configuration data concludes which applications to target and what data to steal. For example, the attacker might target browsers, cryptocurrency wallets, file sharing and communication programs, or general details about the infected system. The Trojan then creates files to store stolen data (file name examples: passwords.txt, IE_Cookies.txt, Edge_Default.txt and so on). The Trojan then archives these files into .zip format and sends it to the attacker’s server. After sending victim’s stolen data to the server, the virus tries to delete itself.

Threat Summary

Name	VIDAR Trojan
Type	Trojan; Information Stealer
Associated names	RedLine Stealer
Damage	The information-stealing Trojan is capable of collecting saved credentials, browser history, cookies, cryptocurrency wallets and other details from victim’s computer and sending them to criminals’ Command & Control server.
Distribution	This virus might arrive alongside ransomware infection, although it is also distributed with the help of exploit kits.
Detection names	Trojan:Win32/Wacatac.B!ml (Microsoft), Gen:Variant.Jaik.47957 (B) (Emsisoft), Trojan.Win32.Fabookie.yh (Kaspersky), Gen:Variant.Jaik.47957 (BitDefender), Trojan.Downloader.Generic (Malwarebytes), Trojan.Gen.MBT(Symantec) see all detection name variations on VirusTotal
Removal	Remove Trojan and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

1 Step. Get robust antivirus to remove existing threats and enable real-time protection

SECURE YOUR PC NOW

See Full Review

INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.

2 Step. Repair Virus Damage on Windows Operating System Files

REPAIR VIRUS DAMAGE

See Full Review

Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.

How this Trojan infects computers

Vidar just like many other Trojans and malwares, are usually spread deceptive malicious campaigns, whereby they deceptively lure their target audience into clicking on fake links or ads that redirects them to dangerous sites instead of the page they advertised. However, Vidar relies more on a EK known as Fallout Exploit Kit to proliferate, with users of Internet Explorer browser and Flash Player as their prime targets.

How prevalent is Vidar Trojan?

Although first spotted in December 2018, Vidar Trojan caught global attention in January 2019, when it made its first appearance in a malvertising campaign. At that period, cybercriminals were discovered to be making use of Fallout Exploit kit in spreading Vidar as well as GrandCrab as secondary payloads to unsuspecting users. Immediately after, experts working on cyber protection revealed a fake cryptocurrency trading platform that was spreading Vidar in a crypto-stealing malware campaign. In order to prey on many people as possible, they impersonated a popular cryptocurrency trading platform known as CryptoHopper.

Another rogue developer named Legion released made attempts to deploy certain types of malware, Vidar inclusive across the U.S and the EU zone. Likewise, cybercriminals were able to compromise Bitbucket which affected about 500,000 computer systems across the globe, in a series of malware campaign targeted at illegally mining cryptocurrency, spreading ransomware payloads (Vidar inclusive) and stealing of data.

Vidar was also observed arriving as a secondary payload in STOP/DJVU ransomware attacks. That said, you can expect to get infected with this information stealer if you have a habit of visiting websites providing pirated software copies via peer-to-peer file sharing system (torrents).

What to do to prevent Trojan infection

Basically, you need to update your software contents and operating system at all times to preempt any attempt by Trojans to infiltrate. In addition to that, you also need to install ad blocker and web protection software/tools to proactively prevent any malicious attempt by cybercriminals to redirect you to rogue platforms/sites. However, if you observe that your computer may have already been exposed to Vidar Trojan, then you will have to run a full scan with INTEGO Antivirus to remove them immediately.

Below is a typical rogue website advertising Vidar Trojan as a cyber crime tool.

Deceptive website offering the Trojan as a tool to commit cybercrimes.

Not long ago, Cybercriminals created a cryptocurrency trading platform known as CryptoHopper which they use in spreading various Trojans including Vidar.

Here is a screenshot of fake CryptoHopper website (crypto-widget[.]live) serving the Trojan for users disguised as setup.exe file:

The deceptive website serves setup.exe download that contains the information-stealing Trojan.

Back in 2020, cybercriminals began a spam campaign aimed at spreading Vidar Trojan in cahoots with Nemty “Special Edition” ransomware, with their target audience believed to be South Koreans.

Remove VIDAR Trojan Securely

Malware can be removed manually, but this has proven to be very tedious and requires advanced knowledge of computer and its software/hardware components. However, making use of INTEGO Antivirus is a convenient and reliable way to automatically remove malware from your computer system. Check below for more details how to prepare your computer before running the full system scan with robust antivirus solution.

Although the described Trojan is often used as a secondary malware alongside other malicious payloads, it should never be underrated, especially considering its information stealing capability. Therefore, it is necessary to remain proactive by deploying strong and genuine anti-malware software to protect your system and ensure that your personal data does not get into the wrong hands. Your computer should be protected in real-time 7 days a week.

To initiate VIDAR Trojan removal procedure and protect your computer from future malware infections, consider choosing antivirus software for your computer or use the one recommended by our team.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

VIDAR Trojan Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in Safe Mode with Networking, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to start Windows in Safe Mode:

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove VIDAR Trojan files. It is very hard to identify files and registry keys that belong to the virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. We recommend using SYSTEM MECHANIC ULTIMATE DEFENSE , which can also restore deleted files. Additionally. we recommend repairing virus damage using RESTORO.

Special Offer

DOWNLOAD AND SCAN

Compatibility: Microsoft Windows
See Full Review

RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before the malware infiltration.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.