The FBI Moneypak virus (a.k.a. FBI virus, FBI Green Dot Moneypak virus, Citadel, Reveton) is ransom-ware Trojan that locks up an infected user computer. This malware is delivered by the Blackhole exploit kit and displays a ransom-ware page while claiming to be a legal action page from the U.S. Federal Bureau of Investigation (FBI). The malware locks up the machine and demands payment of $100 or $200 to unlock it. It also disables task manager and registry editor. The page states that the machine is violating copyright and related laws such as video, music, software and illegally using or distributing copyright content, viewing or distributing prohibited pornographic content and that the machine is infected with malware and demands a payment of $100 or $200 through an untraceable money transfer. This is yet another example of ransom-ware or social engineering tactics to exploit Windows users.
The previous version of this ransom-ware demanded a payment of $100. The new version of this FBI moneypak virus demands a payment of $200.
Screenshot from a system infected by fake FBI moneypak virus:
The fraudulent FBI page shows fake claims such as follows:
Attention! Your PC is blocked due to at least one of the reasons specified below:
You have been violating Copyright and related rights Law (Video, Music,Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 8, clause 8, also known as the Copyright of the Criminal Code of United States of America.
You have been viewing or distributing prohibited pornographic content (Child Pornography/Zoofilia). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the criminal provides for deprivation of liberty for two or twelve yours.
Illegal access to computer data has been initiated from your PC,or you have been. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four to nine years.
Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
Here is another example:
All activity of this computer has been recorded.
If you use a webcam, videos and pictures were saved for identification.You can be clearly identified by resolving your IP address and the associated hostname.Your computer has been locked! Illegally downloaded materials (MP3’s, Movies or Software) have been located on your computer.By downloading, those were reproduced, thereby involving a criminal offense under Section 106 of the Copyright Act.
The downloading of copyrighted material via the Internet or music-sharing networks is illegal and is in accordance with Section 106 of the Copyright Act subject to a fine of imprisonment for a penalty of up to 3 years.
Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also lead to the confiscation of the computer, with which the files were downloaded.
To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $200. Payable through GreenDot Moneypak. After successful payment, your computer will be automatically unlocked. Failure to adhere to this request could involve criminal charges and possible imprisonment. To perform the payment, enter the acquired GreenDot Moneypak code in the designated payment field and press the “Submit” button.
The ransom-ware instructs victims to pay their “fine” with a MoneyPak card, which can be purchased from any of the following well-known U.S. retail chain stores such as Rite Aid, Walmart, Walgreens, CVS/Pharmacy, Kmart, and 7-Eleven. MoneyPak is a payment system that allows users to “replenish” the card by paying at an approved partner site and then use it to pay other merchants. The MoneyPak company site has a page dedicated to fraud protection tips and includes an advice about such scams: https://www.moneypak.com/ProtectYourMoney.aspx
Please disregard the claims made by this virus since these claims and the FBI page are all fake. Your are not in trouble with the FBI. Paying the fine using Moneypak cards will not fix your computer.
Remote video recording
The FBI Moneypak virus is capable of remote video recording via the infected computer’s web cam. It launches the fake FBI webpage and shows a video screen that is streamed from the users connected webcam and shows “recording”. If the infected user does not have a web cam then the video screen will appear blank and will still show as “recording”.
FBI Moneypak Virus Infection Symptoms
- Causes the infected PC to lock disallowing access to the desktop and the internet.
- Redirects the infected PC to a fraudulent FBI screen.
- Disables antivirus software or other application and system software.
The threat is delivered via un-patched browser exploits, or via banner ads, pop-ups, other Trojans, and fake codecs. Upon exploiting a victim machine, a malicious DLL is downloaded and executed. This DLL is loaded by rundll32.exe and an auto start entry is created in the start-up folder. It uses random names for the DLL and auto-start entry item. Below are example screenshots, where “0_0u_l.exe” is the malicious DLL loaded via rundll32.exe with a call to the export function “FQ10″, and “arg.exe” is the start-up item name. It also modifies Internet Explorer zones related registry entries and disables protected mode browsing by setting the following registry value to 1: “Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner”
The malicious DLL then launches the “iexplore.exe” process (Internet Explorer Browser) and injects code into this process so it can now execute in the context of a legitimate process. The injected code allows the monitor of Task manager or Registry editor launch and shut them down. It also allows connection to a remote malicious server in order to download encrypted data and save it in the victim machine’s “Application Data” folder with a random file-name and “.pad” file extension. This .pad file is then decrypted which serves as content for a new desktop. The current desktop is then switched to this new desktop content and is also set to re-load on start-up. This essentially “locks” the desktop so the user cannot perform any operations.
Processes created by FBI Moneypak virus:
The following malicious processes are started:
Registry entries created by FBI Moneypak virus:
The following registry values are created:
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger svchost.exe
… and numerous more Image File Execution Options entries to block execution of executable files and legitimate security software.
DLLs registered by FBI Moneypak virus:
The following DLLs are registered:
Files and folders created by FBI Moneypak virus:
The following files and folders are created in the filesystem:
%Program Files%\FBI Moneypak
%Documents and Settings%\[UserName]\Application Data\.exe
%Documents and Settings%\[UserName]\Desktop\.lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak
Complete manual removal of this rogue application is impossible with any antivirus solution because the FBI Moneypak virus completely prohibits the user from manipulating the computer. For proactive protection against threats like the FBI Moneypak virus, we recommend STOPzilla AVM 2013.
Stopzilla AVM security product detects this threat and its associated components as: Backdoor.Win32.BlackHole, Exploit.Win32.ShellCode, Trojan-Spy.Win32.Banker.fbi
For immediate technical support call 1-855-969-0790. They’ve successfully removed the FBI Moneypak virus from thousands of computers and can guarantee removal.
Removal steps for Advanced Users
If the infected PC has multiple user accounts and are allowed access to these accounts, and if one such account has administrator privelages, then you can launch an anti-virus or anti-malware program to scan and remove the FBI Moneypak virus.
One can try to deny Flash in order to disrupt the proper functioning of the FBI Moneypak virus. In order to disable Flash, go to Macromedia support and select ‘Deny’ here:http://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html. This may or may not work, and might give access to run a full system scan with your anti-virus or anti-malware software.
Step-1: Open Windows Start Menu, and enter %appdata% into the search field, then click “Enter”.
Step-2: Go to “Microsoft\Windows\Start Menu\Programs\Startup”
Step-3: Remove ctfmon.lnk (this is not same as ctfmon.exe, which is a legitimate system file).
Step-4: Again open Windows Start Menu, and enter %userprofile% into the search field, then click “Enter”.
Step-5: Go to “Appdata\Local\Temp” and remove “rool0_pk.exe”
Step-6: Also delete “.mof” and “V.class” files.
Step-7: Run a full system scan with an updated version of your anti-virus or anti-malwre program to remove any remaining entries related to the FBI Moneypak virus.
If the above steps do not work or are not allowed by the malware, then try the following steps described below:
Step-1: Restart the infected PC and press F8 while it is restarting.
Step-2: Choose safe mode with networking.
Step-3: Launch “MSConfig” by opening Windows start menu and entering “msconfig” in the search filed.
Step-4: Disable startup items launched by rundll32 from Application Data folder.
Step-5: Restart the PC and scan with your updated anti-virus or anti-malware program.