Solved

(Please Help) Concerned About FBI-MoneyPak Virus


Hey, so today I logged on to our home computer and a message popped up. It had the FBI, CIA, etc and said that our computer was locked. It was apparently locked due to suspicion of illegal activity. I used my iPod to see if this was indeed a virus and it turns out it was a trojan, I think. That's pretty scary for me because I know trojans are for accessing someone's system and for our computer to have it definitely terrified me. Windows Task Manager was disabled, because of the virus, too. I did a scan with your program and it removed the trojan. Windows Task Manager worked again as well. I would like more information about this certain virus, if you guys have ever heard of it. Also, how exactly could it have been sent to our computer? I would really like to know that. I want to make sure we weren't already hacked. And are we safe from any attackers? The virus is removed, but I'm worried if damage was already done or can still be done with the virus having been there previously. Any advice on how I can prevent this? I'm really not so sure about our computer being safe, because in the past I've also said on these forums that there were programs opening by themselves.
 
One last thing I'd like to mention. A few days before this happened, I was on a Minecraft server....
I got disconnected and I couldn't connect to any other servers. Then a window popped up saying Windows Firewall was concerned about the program. Could this have to do with Java, or possibly lead up to this trojan?
 
Thank you so much for taking the time to read this. I appreciate it.
icon

Best answer by RetiredTripleHelix 5 November 2013, 02:48

View original

24 replies

Userlevel 7
"The FBI infection" has been one of the more common infections lately.  It's unusual to hear that you saw any symptoms of it at all if you're running Webroot.  Perhaps Webroot was disabled when the infection initially made its way onto the machine?  If not, it sounds like the threat was picked up either by heuristics or some really quick determining of the files.

If the symptoms of that infection are gone, most likely so is the infection itself.  That sort of infection is designed to scare you into paying the malware authors to make it go away.  We can always check for you manually if you have lingering doubts.  If you'd like support to do that for you, please open a support case.

Malware can drop onto a machine via all kinds of entry vectors, so it's really hard to say exactly where you contracted this particular threat.  Malware sites tend to spring up and go down in short periods of time, and multiple sites at a time typically host these sort of threats.  It's possible that support might be able to provide more specific information related to your particular case if you open a support case to provide some logs.  It could have been an infected file, an exploit on a website, or numerous other methods of infection.

Probably Minecraft wasn't the entry point.  Windows Firewall can be strict depending on how its configured, and most of the time it's alerting you about normal activity in the same manner UAC will ask about whether or not you are sure you want to run the file you just told Windows you want to run.  That said, keeping your Java up to date is important because it is a common attack vector.
 
(by the way, your post was moved because the "Techie" forum is for non-security-related tech discussions :))
Sorry about that, I haven't understood exactly where to post these kind of things, but I do now.
 
I got the virus a few seconds after I logged onto the computer. After I rebooted the virus didn't pop up again, and I ran Webroot and removed the virus. Another thing I'd like to note is that I wanted to see if any information was stolen since I have heard this certain virus is capable of doing so. I went to 'Recent Places' and nothing was in there. This leads me to believe it was cleared. Depending on the info I've given, do you think our accounts and files are safe?
Userlevel 7
Badge +56
Hello ClassicRock_FTW and Welcome to the Webroot Community Forums.
 
Webroot SecureAnywhere has many Shields to protect your accounts and files but Please follow Jim's advice to Open a Support Case and they can check to make sure the infection is completely gone. 😉 Also have a look at this Video to see how WSA protects your system if it misses a virus.
 
EDIT: To add video.
 
TH

 
 
Userlevel 7
TH is correct. Also, if the virus showed up at the instant you logged on, it was already present from a prior user or prior session and was scheduled to boot up probably via a run key or some other method to launch it when the computer booted.
Userlevel 7
The reason why it popped up right after bootup was due to the fact that the infection drops a file onto your PC which modifes either a Windows run reg entry or created a shell entry in Winlogon. These wont be effected until the PC reboots hence why you got the pop-up on startup.
 
As for any left over files this infection normally only drops a couple files which Webroot will clean up. This FBI infection doesnt normally steal any information from your PC it just tries to get you to enter your credit card information so they can charge money to it.
Userlevel 7
I would be happy to collect some logs and go through them to make sure everything is OK if you want? Generally speaking if you no longer see the pop-up then you are good to go.
Userlevel 7
To add to this discussion, I do not think you have to worry about any system data being stolen. The FBI Moneypak viruses generally are only after monetary payments, by locking the computer and making the victim pay to unlock the computer (although in most cases the system will remained locked).
 
As far as I am aware, this family of visuses do not steal information.
Userlevel 1
FBI Ransomware uses a Java exploit to infect its targets, so IMO it is very likely that the Minecraft server (which uses a Java plug in) is the source. Unfortunately Java still has vulnerabilities, so the only way to be safe is to not use it.
Userlevel 7
Badge +56
Hello railshot and Welcome to the Webroot Community Forums!
 
TH
Userlevel 7
@ wrote:
FBI Ransomware uses a Java exploit to infect its targets, so IMO it is very likely that the Minecraft server (which uses a Java plug in) is the source. Unfortunately Java still has vulnerabilities, so the only way to be safe is to not use it.
Hello railshot and welcome to the Webroot Community!
 
Good comments.  The bad thing about trying to use no Java at all is how many applications require it.  It does make for quite a difficult situation for some.
Userlevel 1
Thank you Triple Helix. Glad to be here. Just bought the WSA Complete and it already found some stuff that MSE, Avast, and Malwarebytes missed.
Userlevel 7
Badge +56
Great to hear we have another happy customer! Have a look at the Video that I posted Here in case WSA does miss a Virus.
 
Enjoy and if you have any questions just let us know!
 
Cheers,
 
TH
Userlevel 1
@DavidP wrote:
Good comments.  The bad thing about trying to use no Java at all is how many applications require it.  It does make for quite a difficult situation for some.
Thank you for the welcome, DavidP.
I agree with your point. I have to use Java myself. There are few things that can make it safer though. For standalone Java apps, make sure you get them from reputable sources (obvious). This will not protect you, however, if you take your legitimate Minecraft standalone app and connect to a rogue server. So in case of the apps that connect to something, make sure you know what they are connecting to.
A browser plug in is a much greater threat just because it's much easier to mistype an address or misclick and end up on some random site. One way to increase security is to install a click to play extension on a browser that supports extensions. I know one exists for Firefox, and I am sure there are some for Chrome and other browsers. What it does is it prevents third party plug-ins from playing until you explicitly click on them. It has an added bonus of preventing random flash videos from playing in some background tab that just loaded.
Today I received the FBI Virus popup unexpectedly. It requested 300 dollars and said my computer was locked. No webcam picture was taken. I immediately went to the task manager  and exited all my browser windows successfully. I then restarted my computer with no problems and performed a webroot scan which displayed 0 threats. Nothing else has happened in the past hour as i have been doing research online for a school assignment. Do you think I am in the clear?  Was this even the real FBI virus as my computer wasn't totally locked like others have reported? No other symptoms other than the initial popup to report at this time.
Userlevel 7
Badge +6
Is it possible the message you got was in a browser window? It may have just been a popup.
Userlevel 7
@ wrote:
Is it possible the message you got was in a browser window? It may have just been a popup.
Or possibly a new variant that intially got through as far as getting up the pop up but was then removed?
Userlevel 1
Check to make sure you have access to your data. The latest variant (Cryptolocker) encrypts your data and makes you pay to get the enkryption key. AFAIK: no antivirus is currently detecting it, it's impossible to decrypt without the keys, and they give you 72 hours to pony up the chash after which time they delete the keys.
Userlevel 7
@ wrote:
Check to make sure you have access to your data. The latest variant (Cryptolocker) encrypts your data and makes you pay to get the enkryption key. AFAIK: no antivirus is currently detecting it, it's impossible to decrypt without the keys, and they give you 72 hours to pony up the chash after which time they delete the keys.
Actually, so far from what Webroot Support has said, it is NOT impossible to recover the files: the rollback feature in Webroot has been shown to be succesful in recovering the data. 
 
MODS: Please correct me if I am wrong 🙂
Userlevel 1
@DavidP1970 wrote:
Actually, so far from what Webroot Support has said, it is NOT impossible to recover the files: the rollback feature in Webroot has been shown to be succesful in recovering the data. 
MODS: Please correct me if I am wrong :)
I did not say it was impossible to recover, just impossible to decrypt 🙂. Ofc any backup should work if there is versioning.
Userlevel 7
Badge +6
@  @  The official word from @  is that WSA will protect you from Cryptolocker. Even if it runs and encrypts files, once WSA detects the virus it will replace all the encrypted files with the original unencrypted ones via WSA's journaling feature. The only blindspot is if you have a mapped drive to a company network share - it will not be able to reverse any encryption done in there.
 
You can see me further elaborate on Cryptolocker and the challenges it poses to traditional antivirus in this thread. I pinged three different Webroot employees and none of them offered any objections.
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-exactly-does-Webroot-allow-you-to-restore-files-encrypted-by/m-p/65147
 
You can find out more about how WSA is different from other antiviruses here (written for business customers)
http://www.webroot.com/shared/pdf/reinventing-antivirus.pdf
 
Userlevel 7
Explanoit:
 
Thank You!!
 
 
( TEAMWORK!)
Userlevel 7
Badge +56
@ wrote:
@  @  The official word from @  is that WSA will protect you from Cryptolocker. Even if it runs and encrypts files, once WSA detects the virus it will replace all the encrypted files with the original unencrypted ones via its journaling feature. The only blindspot is if you have a mapped drive to a company network share - it will not be able to reverse any encryption done in there.
 
You can see me further elaborate on Cryptolocker and the challenges it poses to traditional antivirus in this thread:
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-exactly-does-Webroot-allow-you-to-restore-files-encrypted-by/m-p/65147
 
Also the quote from Joe that you said above: https://community.webroot.com/t5/Ask-the-Experts/Cryptolocker-infection/td-p/57881#.UnhOnOJyUsA
 
TH
Userlevel 7
@ wrote:
@ wrote:
@  @  The official word from @  is that WSA will protect you from Cryptolocker. Even if it runs and encrypts files, once WSA detects the virus it will replace all the encrypted files with the original unencrypted ones via its journaling feature. The only blindspot is if you have a mapped drive to a company network share - it will not be able to reverse any encryption done in there.
 
You can see me further elaborate on Cryptolocker and the challenges it poses to traditional antivirus in this thread:
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-exactly-does-Webroot-allow-you-to-restore-files-encrypted-by/m-p/65147
 
Also the quote from Joe that you said above: https://community.webroot.com/t5/Ask-the-Experts/Cryptolocker-infection/td-p/57881#.UnhOnOJyUsA
 
TH
Ah.. now THERE is the quote I was looking for!  Thanks TH!
 
(TEAMWORK!!)
Userlevel 1
@ wrote:
@  @  The official word from @  is that WSA will protect you from Cryptolocker. Even if it runs and encrypts files, once WSA detects the virus it will replace all the encrypted files with the original unencrypted ones via WSA's journaling feature. The only blindspot is if you have a mapped drive to a company network share - it will not be able to reverse any encryption done in there.
 
You can see me further elaborate on Cryptolocker and the challenges it poses to traditional antivirus in this thread. I pinged three different Webroot employees and none of them offered any objections.
https:///t5/Webroot-SecureAnywhere-Antivirus/How-exactly-does-Webroot-allow-you-to-restore-files-encrypted-by/m-p/65147
 
You can find out more about how WSA is different from other antiviruses here (written for business customers)
http://www.webroot.com/shared/pdf/reinventing-antivirus.pdf
 
Thank you for the explanation and for the links. It's nice to get a bit more insight into how Webroot works.

Reply