Moneypak Madness - Fighting the Virus/Ransomware
I was asked to fix a computer infected with the FBI Green Dot MoneyPak virus. This is definitely one of the nastiest viruses I've come across as far as its ability to lock out a computer. It seems that my experience was either with a brand new variant of the virus or just atypical from what other people have posted at the time of this writing.
For those that are not familiar with the virus, it displays a full screen warning claiming that the computer has been locked by the FBI for vague infringement of various computer-related crimes, such as child or "zoo" porn. The user is instructed to pay a "fine" by purchasing a $200 (amounts may vary) MoneyPak card at a local convenience store and enter the code.
After reading some guides on the virus I saw that two primary ways people got around the lock out was to either boot in Safe Mode or to login as a different user. The startup task used to launch the virus seems to be confined to the user's profile who was originally infected.
While I found the virus quite clever, I also felt a bit challenged that I couldn't just Alt+F4 or something similar to stop it. The machine I was working on was a client's personal Windows XP machine, so it only had one user account. With the alternate login option eliminated I tried a variety of things to kill the application before resorting to Safe Mode. All of them failed.
I was able to kill or crash the virus a couple of times, but each time it either froze or crashed the rest of the operating system with it. One interesting tactic was to hold Ctrl+Alt+Esc. Normally this brings up Task Manager locked on top of other windows. The virus is smart enough to keep itself on top. However, by repeatedly launching windows I was able to occasionally get some on top. They only stayed on top as long as I held down the keys and kept focus on the window. I was able to kill some processes I suspected, but the virus would respawn and kill the task manager.
After tinkering around for a while I gave up and just booted to Safe Mode. Unfortunately Safe Mode crashed after loading mup.sys. I tried several times, including after running a repair on it, but all variants of Safe Mode would not boot. The fact that normal mode worked without a problem led me to believe the virus has done something to disable Safe Mode. Other experiences say that it’s likely this computer’s safe mode was broken prior to the virus, but I can’t be certain.
Back to the drawing board. Next I tried a utility I had downloaded called rkill. I burned it to a DVD and as soon the computer logged me I tried to launch it with the mouse, but I wasn't quite fast enough to get it running before the virus took over. On my second try I hit Win+R and typed e:\rkill.com. That did the trick. Oddly enough rkill ran and kept the focus on top of the virus. The utility found some stuff, but it did not terminate the virus processes, executables, or registry keys. I ran it a couple of times and it never did anything useful.
I finally went to my last resort. I pulled the hard drive out of the computer and hooked it up to my sata to usb converter, and then plugged it in to my laptop (fingers crossed and layered A/V running). I used the online guides to try to locate the files. They claimed I needed to find ctfmon.lnk and some random executables. Unfortunately none of the virus files were where they were reported to be. The virus also did not launch from the Startup group (it used the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to launch).
I hunted around manually, found and deleted some questionable files before putting the hard drive back in and booting the computer. Fail. The virus was still there and promptly took over again.
I finally took the hard drive back out and did a search for executables that had been modified recently. Paydirt! I cleaned up a whole bunch of executable junk that didn't have digital signatures. I can't be totally sure, but I believe the virus was in three files all with random names (xxxxxxxxxxx.exe) that were modified that day.
Once that was done I could log back into the computer, fix the registry, and run some malware cleanup utilities. Hurray! A win for the good guys! Or was it?
Clearly I spent way too much time on this single PC. It would have made much more sense to just wipe it and reinstall, but spite had me in its clutches. Before returning the computer I took a minute to check for antivirus software and noticed that "ESET NOD32" was installed. I wasn't really familiar with that one, but I just left it alone.
And that's where I went wrong. Two months later I got a call from the owner of this same PC letting me know that the virus was back and in control of his computer.
Here we go again.
This time he had a new and improved variant of the same Moneypak virus. This one had the webcam support, so it can threaten to send in pictures of you to the FBI. The ransomware still featured legalese threats in mangled English, but I did notice some refinements to the screen and the virus itself.
This particular version of the virus started sooner. I'm not sure how it was hooked in, but there was no delay between startup and the launch of the virus. There was no chance to login as another user and the task manager was disabled by policy instead of sniping the process as before.
I took a quick look, saw that safe mode still didn't work, and then promptly removed the hard drive. I found some strange executables that were definitely the viruses main run point, removed them, and rebooted.
Mysteriously, the virus came back and replaced the files I deleted. Take two.
This time I ran a scan with AVG's free virus scanner. It first deleted the same files I had deleted previously, then it found deeper problems hidden in the Windows System32 directory. This did the trick, and the battered old machine was humming along just fine.
I got rid of that ESET NOD scanner because though it was running, it clearly missed the boat on the moneypak virus twice. AVG also found at least three other viruses on the machine that this software had missed. I checked quickly to make sure that software had been updating, and it looked like it was up to date. I installed AVG Free and returned the PC... hopefully for the last time.