Different FBI Fake Virus Screens

This maybe old news to most but I thought I would share my findings on following the FBI Fake Ransomeware Virus.

First of all I have noticed there are several versions from the following lock screen pictures:

Version 1:



Version 2:



Version 3: Thanks to Narenxp found in post number 5 (http://www.bleepingcomputer.com/forums/topic469935.html/page__view__findpost__p__2853265). I do not have a sample of this one yet



Version 4: This is the picture from the virus removal section here on BC (http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware). I do not have a sample of this one yet





I am still looking for other versions that are out there.

Second of all I have noticed the first version (http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware) only locks the screen if the computer is connected to the internet. Once the internet is disconnected the user is able to see the desktop screen. The second version locks the screen in both normal and safe mode. Version 3 and 4 I do not have a sample yet.


Thrid of all I have noticed that the removal of the first version is very easy to do by following the virus removal link here on BC (http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware). Where as the second version uses several other Trojans and Rootkits to make it very difficult to remove. On both versions I have been able to remove but the second one took more time to remove. Version 3 and 4 I do not have a sample yet.


I am still reverse engineering the samples I have so more will come soon.


I am also aware of a other versions completely different than the ones above but I do not have a sample of it yet. Soon as I can get my hands on the other versions I will post my findings of it here as well.


#1 Edit cause I needed to remove my IP and Hostname from picture of version 2 ~ herg62123
#2 Edit to include a post link that Narenxp posted in post number 5 ~ herg62123
#3 Edit to include a copy of the picture posted in the virus removal section ~ herg62123

@ herg62123 -
Is this just for information purposes, or are you infected with one of these programs ??

If you are having problems please describe them, or I will ask for this to be moved back to Information area -

Thank You -

This is to be informative. I am seeing countless people at my job with the FBI Ransomeware Virus and noticed different version. It is like all the Ransomeware is turning into this type of virus.

Thanks this is a very informative picture. I have not seen this before.

I am also aware of a third version completely different than the ones above but I do not have a sample of it yet. Soon as I can get my hands on the third version I will post my findings of it here as well.

Are you referring to this one

That is actually a forth version. Do you have a sample you can put in a rar of zip file and let me play with it?

I will try to get one and send you.We have restrictions on copying files from remote.

I will try to get one and send you.We have restrictions on copying files from remote.

Please do not get yourself in trouble. It is not worth the risk. I am sure I can get a copy from some where.



EDIT because of a spelling error ~ herg62123

I have found 2 more variants. I was not able to get a sample from the computers I was cleaning due to the user not allowing me permission to get it but I was able to see the screen on their machine and did a look up to find the picture.

These are the new Lock Screens I have come across:

Version 5:



Version 6:





As you are seeing the shift from fake anti virus scanner to FBI Moneypack Virus is the new Ransomeware.

I was wondering why the fake anti virus scanners have slowly disappeared.

Malware writers are constantly altering or copying other versions to look similar, and this is not unusual.
Whenever a solution is found for one version, they try to alter it to look like a new problem -

There are still hundreds of people who do send $200 to the Rogue Infection people, and then still have problems.

You can always send them here or to any reputable online helpers (Spyware Info forum / Malwarebytes forum / etc / etc) for free help and removal -

Malwarebytes forum has many such items currently being removed (like here) with good success rates at helping infected people.
The worse cases are when the person only has one small computer and cannot access internet with a second computer
They are usually the ones that have little idea that help is always available from the many computer help forums that exist today -

I was once one of those people with a single Windows98, and a small infection, that cost $100 to be cleaned by a private company back then - Not these days -
Once I joined MBAM forum and found about these problems, I have never been bothered by any infections that could not be removed
Now I would rather send gringo, etc, or any other helper, a voluntary donation if I am helped on one of these great forums -

Even sUBs (Currently MBAM staffer) gets overlooked for his contribution with Combofix and other tools that help all malware fighters these days -

I seem to have gotten the 1st version of this FBI virus posted here. I ran Combofix and it seems to have corrected most of my problems. I'm running MWB now. Should I download and run the fix mentioned earlier in this thread? It's still running pretty slow and I'm getting this message in my Outlook that there are not enough system resources available to download my email. Any advice would really be appreciated.

Thanks,

Traci

Where I am familiar on how to remove that one, the best thing for me to tell you is to post in the following forum for further help:

http://www.bleepingcomputer.com/forums/forum103.html

@ Avalonjxn,

Since you have run Combofix, please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom

I appear to have version 4 of FBI Monkeypak except that below the KMart RiteAid etc. and Fraud Alert there is a "100% secure site certified by McAfee" statement. Will combofix take care of this version and what are the appropriate instructions? Every time I get close to getting rid of this thing it automatically shuts down my computer even in safe mode when trying to get help on line from IYogi and PC Tools. I am at the point where this is going to cost $300 to drop off at geek squad and get rid of it. So what are the odds. Any suggestions. I downloaded Emisosft emergency and put it on a hard drive and am scanning my wifes computer. Can I put combo box or Emsisoft on a thumb drive and launch and scan teh pc from there. It takes too long to download and update and the trojan will shut the PC down.

Hello gamma1

The best thing for me to offer you is to post some help in the Am I Infected Forum. Doing it this way will be free but as you can see there are a lot of users needing help and it is first come first serve here on BC.


If you are not able to wait for help then other solution is to try local computer repair shops like Mom and Pap Shops, Staples, or Office Depot. If you do this way they will charge you a fee (which varies).


I would like to help but I am not authorized to provide you help with you logs since I am not trained and authorized by Bleeping Computer to provide you with the help you need..