THE FBI LOCKED MY COMPUTER!!!
And they want $200 or else!!!!
Last Tuesday my computer stopped working. I was nearly finished with an article that took me nearly five hours to write and perfect when the word pad and web browser disappeared. For a moment all I saw was the desk top with the icons missing. Then the screen went white. And a few seconds later a message popped up which had the official FBI logo announcing that my computer has been locked because it contained illegally downloaded files. This was followed by my IP Address with the claim they used it to trace my computer. Then instructions telling me that there was a $200 fine for illegally downloading copyrighted material, and If I paid the fine by Pay Pal or via credit card then my computer would be unlocked. If I did not pay the fine then the F.B.I. would take further action, including the confiscation of my computer. I had 48 hours to pay the fine, otherwise the F.B.I. would initiate a full criminal case against me leading to imprisonment. This was then followed by instructions to take cash to a retail outlet that sold moneypaks and buy a $200 account, then submit the account code through a link on the block page.
There was a brief moment when I feared the message was legit, followed almost immediately by doubt, then on reflection realizing it was a hoax. A hoax that locked my computer, but could not be the F.B.I. Within minutes I was able to unblock the computer, something it turns out no one else has been able to do with this current Moneypak virus. I'll get to how I did that in a moment.
I did not have any pirated material in my computer the day the virus kicked in. There was nothing for the F.B.I. to scan. Sure, I had downloaded the odd file in the past. But I prefer owning the store bought original of any release, even buying out of print copies on EBay at some inflated price rather than burning a pirated download of the same quality. My computer has been clean of anything pirated for more than a year, probably longer. It is possible that some traces of pirated files still exist long after they were deleted, but nothing in my registry. Aside from that, I know that it is illegal for the F.B.I. or anyone else to scan my computer without my consent. If the F.B.I. wants to scan my computer then they would need a court order for a search warrant, and then would need to present it to me prior to performing the scan. And once they had the warrant they would most likely confiscate my computer and scan the entire hard drive rather than some remote scan.
Another legal issue. The F.B.I. can not legally hand out fines. They can arrest me, but I would need to then go before a judge, and only after being convicted would I be punished. If the F.B.I. demanded money for an alleged crime then that would be called a bribe and what they would be doing is extortion. Also, the F.B.I. would never alert a criminal that they knew he had evidence prior to an arrest. Lets say I did have pirated material. Once the F.B.I. informed me through the lock down screen that they detected illegal files through a remote scan, I would immediately either scrub or erase the entire hard drive, or remove it and have it destroyed. There goes their evidence. And they would not be accepting fines through Moneypak . You pay fines at a courthouse, not over the internet.
Realizing this was really some sort of virus, I immediately tried to unblock the computer. Nothing worked. could not access the task bar, or right click anything. There was nothing to X out. The only thing that worked was the manual power button. Once pressed the block vanished as the computer shut down. The word pad program I had been writing on also began to shut down and asked me if I wanted to save, which I did. Once the computer shut down I restarted it and immediately attempted to restore by hitting F8 on the restart. It turns out this is how past versions of the Moneypak virus were removed by others who got the infection. Instead I got a blue screen informing me the computer could not enter safe mode due to a virus. The programmers of this new virus were one step ahead.
I made a couple of unsuccessful attempts to open Windows and access the system restore before the block page came on, both times failure. Another attempt to use the Combofix failed. The virus had erased all the icons from my start up screen. I knew that I could still access the icons by hitting My Computer and then paging up when the screen appeared, but was still unable to get the Combofix to work before the block took effect. Knowing the block shut off when the computer was shutting down I attempted to access the system restore as the computer was shutting down, once again no luck. It all looked hopeless when I realized something. The word pad.
For those of you reading this article in the library or a friends computer, your PC at home now locked up, here are the steps for unblocking.
#1 Start the computer
#2 Immediately after the desk top window appears, access the task bar
#3 Hit the Word Pad icon, or at least any program you have that is similar
#4 Once the Word Pad comes on, type anything. Random characters or anything.
#5 Wait for the block page to appear.
#6 Press the power off button and wait.
#7 One by one the programs will shut off, first starting with the virus, eventually followed by the Word pad. All text programs have a fail safe in case you accidentally shut the computer down before saving. A menu pops up asking for one of three options: Save Text, Don't Save Text, or Cancel. The cancel option stops the computer from shutting down. Since the Moneypak virus initiates on start up and is now shut down, by hitting cancel you now once again have access to your computer.
Be warned. This new version of the virus permanently disables your system restore. It has also done a lot of other damage that currently is not repaired by Windows. McAfee and all the other anti-virus services are still stumped as to how to find and remove the virus. Their only solution, the system restore, is no longer an option. You are going to have to back up any files you do not want deleted and then scrub your entire computer and re-install Windows and anything else. Yep, that means going through a lot of re-installing all those updates from the windows website. You may decide to wait until your anti-virus company or Windows discovers a way to disinfect and fix the damage. But realize the hackers who infected your computer have made it vulnerable to any other virus or hacker. And no one is sure if the virus has any other side effects that can do worse damage the longer it remains in your computer.
EDIT: Since writing this article most if not all of the anti-virus services now block and remove the virus. But it is very possible that the hackers who designed it are still one step ahead with a new version that McAfee or the others can not detect or remove. If you have an anti-virus program installed and a moneypak virus still gets through then you know you were hit with a new version. Even if you successfully remove the virus using a disc there is still no easy program to fix the damage it does, and your computer is still left wide open to other hackers and malware should the virus take effect.
Be sure to save the following, your entire My Movies, My Pictures and My Music files as well as any files outside in your My Documents folder. Your Outlook Express or any other internal e-mail storage. Your SOL files for any stored video games like Line Rider. If you decide you have nothing worth saving, or have already backed up any file worth keeping then you may skip this step. But do not forget to make a list of and write down every program you have downloaded over the years. Some of them work automatically, so you have probably forgotten about that advanced zip file opener, the Adobe or those video codecs. You also probably have a bunch of helpful programs that you use time to time. You want to know the name of those programs if you ever want to download them again. You can't just put "That program that converted files into different formats" and get Format Factory. You will want to know the name of your favorite reformatting program in order to find the download page again.
Know Your Virus
There are probably many versions of this virus floating around. Some of you may have the older version, while others have the updated version that disable the fixes from the past. Each one is a timer virus, meaning it activates simultaneously on every computer that has it. And there are variants so that some activate on one date and others on another date. How do I know this? The first thing I did when I realized it was a virus was pull out the internet plug. If there was any possibility this was a remote trojan then I did not want someone going through my computer and looking for passwords. When the block screen came on again it displayed an internet error page. That meant the block page was actually a website page which the virus expanded to cover the entire screen, disabling any way to X it out. Now knowing it was a website, I was able to go through my web history and find it. This is what I found.
I am presenting it as a picture file so that no one reading this article accidentally clicks it. Even though it now appears to have been shut down, there is always the possibility that you can get a virus from visiting it.
Since my computer was already infected I decided to revisit the site to make a screen capture. The first time I visited it I got the same F.B.I. page. Not knowing what would happen if I attempted to screencap the site, and deciding backing up my files was more important, I shut down the computer, bought some new blank quality DVDs the next day, and spent the rest of the next night backing up everything. Now that it was safe I revisited the site, but now found this....
That is a warning from the German version of the FBI basically telling some poor slobs in Germany the same thing in their language, that they found illegal files and have shut their computers down.
This is how I know the virus is timed. The hackers had some sort of delivery system where computers with American IPs got their own specific timer. 48 hour later computers in another country activated, at which time the hackers had changed the web page to correspond to their language, their police, and their laws. Also, I believe the hackers specifically chose the week ( or weeks ) of the Olympics when the news is so dominated with that event that they would not have time for a computer virus story. In other words, the perfect week to go under the radar.
Addresses that end in .su are in Russia. This is the hackers home base. In the past few days I have been unable to access the site. This could mean the hackers disabled it, or that the authorities in Russia had it shut down. There is only so long this scam could work before the law caught on.
So who would this scam work on? Most people I contacted said the same thing, they realized it was a hoax after a few minutes. But maybe they were not the intended targets. Instead it would be mom and dad. The family computer gets blocked, and panicky mom and dad suddenly think their kid had done something illegal. Thinking they are keeping their child out of prison they rush over to the local retailer and send the hackers the $200 Moneypak account. Their child comes home from his friends and mom and dad confront him, showing him the web page. But Jr. knows better, and has to convince his parents that they have been tricked out of $200.
There is only two ways to know you have this virus. One is if your computer was locked. The other is if you noticed your system restore has been disabled. I discovered my system restore was disabled a week ago with vital components deleted. I knew then that a virus had done it, and had hoped that the Combofix scan had found it and deleted it. The Olympic Monepak Virus evaded it. I am going to wipe my computer clean and reinstall Windows XP. That is going to mean a few days of reinstalling service pack 3 and every one of the hundreds of updates from 2000 on. But my computer has been suffering from years of damage cause by various viruses, and I am sure there were a few trojans and other malware that were either evading all the anti virus programs, or had done some sort of damage to the system that removed a component needed for those antivirus programs to work. I have grown sick of it taking a minute for some web pages to load. I am looking forward to my computer loading up a web page in a flash again. Going through the trouble of reinstalling everything had been something I put off for years. This new virus has given me a new reason to do what I should have long ago. Maybe getting my computer locked by a fake FBI was not such a bad thing.