Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Different FBI Fake Virus Screens


  • Please log in to reply
17 replies to this topic

#1 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 26 September 2012 - 09:04 PM

This maybe old news to most but I thought I would share my findings on following the FBI Fake Ransomeware Virus.

First of all I have noticed there are several versions from the following lock screen pictures:

Version 1:

Posted Image

Version 2:

Posted Image

Version 3: Thanks to Narenxp found in post number 5 (http://www.bleepingcomputer.com/forums/topic469935.html/page__view__findpost__p__2853265). I do not have a sample of this one yet

Posted Image

Version 4: This is the picture from the virus removal section here on BC (http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware). I do not have a sample of this one yet

Posted Image



I am still looking for other versions that are out there.

Second of all I have noticed the first version (http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware) only locks the screen if the computer is connected to the internet. Once the internet is disconnected the user is able to see the desktop screen. The second version locks the screen in both normal and safe mode. Version 3 and 4 I do not have a sample yet.


Thrid of all I have noticed that the removal of the first version is very easy to do by following the virus removal link here on BC (http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware). Where as the second version uses several other Trojans and Rootkits to make it very difficult to remove. On both versions I have been able to remove but the second one took more time to remove. Version 3 and 4 I do not have a sample yet.


I am still reverse engineering the samples I have so more will come soon.


I am also aware of a other versions completely different than the ones above but I do not have a sample of it yet. Soon as I can get my hands on the other versions I will post my findings of it here as well.


#1 Edit cause I needed to remove my IP and Hostname from picture of version 2 ~ herg62123
#2 Edit to include a post link that Narenxp posted in post number 5 ~ herg62123
#3 Edit to include a copy of the picture posted in the virus removal section ~ herg62123

Edited by herg62123, 27 September 2012 - 08:48 PM.
Moved to AV forum. ~ OB

Posted Image

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

    I'm Fishin'


  • Members
  • 10,329 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:On the water
  • Local time:06:54 AM

Posted 27 September 2012 - 12:42 AM

@ herg62123 -
Is this just for information purposes, or are you infected with one of these programs ??

If you are having problems please describe them, or I will ask for this to be moved back to Information area -

Thank You -





#3 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 27 September 2012 - 01:10 AM

This is to be informative. I am seeing countless people at my job with the FBI Ransomeware Virus and noticed different version. It is like all the Ransomeware is turning into this type of virus.
Posted Image

#4 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,184 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:02:54 PM

Posted 27 September 2012 - 05:17 AM

Thanks this is a very informative picture. I have not seen this before.

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:54 PM

Posted 27 September 2012 - 01:55 PM

I am also aware of a third version completely different than the ones above but I do not have a sample of it yet. Soon as I can get my hands on the third version I will post my findings of it here as well.


Are you referring to this one

Posted Image

#6 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 27 September 2012 - 05:15 PM

That is actually a forth version. Do you have a sample you can put in a rar of zip file and let me play with it?
Posted Image

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:54 PM

Posted 27 September 2012 - 06:38 PM

I will try to get one and send you.We have restrictions on copying files from remote.

#8 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 27 September 2012 - 06:57 PM

I will try to get one and send you.We have restrictions on copying files from remote.



Please do not get yourself in trouble. It is not worth the risk. I am sure I can get a copy from some where.



EDIT because of a spelling error ~ herg62123

Edited by herg62123, 27 September 2012 - 07:25 PM.

Posted Image

#9 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 28 September 2012 - 05:18 PM

I have found 2 more variants. I was not able to get a sample from the computers I was cleaning due to the user not allowing me permission to get it but I was able to see the screen on their machine and did a look up to find the picture.

These are the new Lock Screens I have come across:

Version 5:

Posted Image

Version 6:

Posted Image



As you are seeing the shift from fake anti virus scanner to FBI Moneypack Virus is the new Ransomeware.

I was wondering why the fake anti virus scanners have slowly disappeared.

Edited by herg62123, 28 September 2012 - 05:20 PM.

Posted Image

#10 noknojon

noknojon

    I'm Fishin'


  • Members
  • 10,329 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:On the water
  • Local time:06:54 AM

Posted 28 September 2012 - 06:25 PM

Malware writers are constantly altering or copying other versions to look similar, and this is not unusual.
Whenever a solution is found for one version, they try to alter it to look like a new problem -

There are still hundreds of people who do send $200 to the Rogue Infection people, and then still have problems.

You can always send them here or to any reputable online helpers (Spyware Info forum / Malwarebytes forum / etc / etc) for free help and removal -

Malwarebytes forum has many such items currently being removed (like here) with good success rates at helping infected people.
The worse cases are when the person only has one small computer and cannot access internet with a second computer
They are usually the ones that have little idea that help is always available from the many computer help forums that exist today -

I was once one of those people with a single Windows98, and a small infection, that cost $100 to be cleaned by a private company back then - Not these days -
Once I joined MBAM forum and found about these problems, I have never been bothered by any infections that could not be removed :)
Now I would rather send gringo, etc, or any other helper, a voluntary donation if I am helped on one of these great forums -

Even sUBs (Currently MBAM staffer) gets overlooked for his contribution with Combofix and other tools that help all malware fighters these days -

#11 Avalonjxn

Avalonjxn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:54 PM

Posted 29 September 2012 - 03:26 PM

I seem to have gotten the 1st version of this FBI virus posted here. I ran Combofix and it seems to have corrected most of my problems. I'm running MWB now. Should I download and run the fix mentioned earlier in this thread? It's still running pretty slow and I'm getting this message in my Outlook that there are not enough system resources available to download my email. Any advice would really be appreciated.

Thanks,

Traci

#12 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 29 September 2012 - 04:57 PM

Where I am familiar on how to remove that one, the best thing for me to tell you is to post in the following forum for further help:

http://www.bleepingcomputer.com/forums/forum103.html

Edited by herg62123, 29 September 2012 - 04:57 PM.

Posted Image

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,610 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:54 PM

Posted 29 September 2012 - 08:36 PM

@ Avalonjxn,

Since you have run Combofix, please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :cherry:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript


#14 gamma1

gamma1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 September 2012 - 05:59 AM

I appear to have version 4 of FBI Monkeypak except that below the KMart RiteAid etc. and Fraud Alert there is a "100% secure site certified by McAfee" statement. Will combofix take care of this version and what are the appropriate instructions? Every time I get close to getting rid of this thing it automatically shuts down my computer even in safe mode when trying to get help on line from IYogi and PC Tools. I am at the point where this is going to cost $300 to drop off at geek squad and get rid of it. So what are the odds. Any suggestions. I downloaded Emisosft emergency and put it on a hard drive and am scanning my wifes computer. Can I put combo box or Emsisoft on a thumb drive and launch and scan teh pc from there. It takes too long to download and update and the trojan will shut the PC down.

#15 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:54 PM

Posted 30 September 2012 - 02:06 PM

Hello gamma1

The best thing for me to offer you is to post some help in the Am I Infected Forum. Doing it this way will be free but as you can see there are a lot of users needing help and it is first come first serve here on BC.


If you are not able to wait for help then other solution is to try local computer repair shops like Mom and Pap Shops, Staples, or Office Depot. If you do this way they will charge you a fee (which varies).


I would like to help but I am not authorized to provide you help with you logs since I am not trained and authorized by Bleeping Computer to provide you with the help you need..
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users