• images
  • 7:53 am
  • images
  • No Comments.

FBI Porn Scam Virus

What is FBI Porn Scam Virus

FBI-Moneypak-Virus-Malware

The FBI Porn Scam virus is a ransomware attack that displays a false warning message on the users computer screen alerting them that their PC has been locked and that a $200 fine must be paid immediately for the involvement of distributing pornographic material online among other claims. If the user attempts to close the warning screen they will quickly realize that it is not going anywhere and they also do not have the ability to open any other Internet browsers or access any other computer programs or features.

The machine is virtually useless and if it is shit down and restarted the warning message will immediately display again, locking the computer. This even happens if the computer is restarted in safe mode. This really begins to get the user worried, and that is exactly what the hackers want to happen. The message displays a case number as well as a case agent, listed as an official government employee working with the FBI. Little details like this really get the computer user to think. Since there is a chance they may have visited a porn site at some point they will begin to wonder if this is indeed real. The message states that if the $200 fine is paid then the computer will be unblocked, but if it isn’t then the user will face criminal prosecution. The warning message is designed to drive fear into the user. You can read an except here:

“FBI Online Agent has blocked your computer for security reason
The work of your computer has been suspended on the grounds of unauthorized cyberactivity. Described below are possible violation, you have made.
Article 274 – Copyright
A fine or imprisonment for the term of up to 4 years. (The use or shanng of copyrighted files-movies, software)
Article 183 – Pornography
A fine or imprisonment for the term of up to 2 years (The use or distribution of pornographic Nes)
Article 184- Pornography involving children (under 18 years)
Imprisonment for the term of up to 15 years (The use or distribution of pornographic files)
Article 104- Promoting Terrorism
Imprisonment for the term of up to 15 years (You have visited websites of terrorist organization)
Article 297 – Neglect computer use, entailing serious consequences
A fine or imprisonment for the term of up to 2 years (Your computer has been infected with a virus, which, in turn, Infected other computers)
In connection with the decision of the Government as of August 12, all of the violations described above could be considered as conditional in case of payment of a fine.
Amount of the fine is $200. Payment must be made within 24 hours after the discovery of the violation. If the fine has not been paid, you will become the subject of criminal prosecution.
After paying the fine your computer will be unblocked”

The FBI Porn Scam virus is fake, as the FBI would never block a computer and then demand that the fine be paid by a MoneyPak code, which is a form of prepaid cards. When the virus is first installed on the computer it modifies all of the settings to block everything and the only way to get that unblocked is to remove all of the files linked to this virus. Even those that fall victim to this scam and pay the hackers do not get their computer unblocked. Even though the message states that the computer will be unblocked after payment that is just a lie. The only way to unblock the PC is to fully remove the FBI Porn Scam virus.

How to Remove FBI Porn Scam Virus

Since this virus digs itself deep in the system and likes to hide in the Windows system folders we suggest that the files linked to the FBI Porn Scam virus be removed manually. This helps to ensure that all of the infected files are removed, since leaving just one behind can do serious damage. We have included complete manual removal instructions below for your convenience.

Terminate the following FBI Porn Scam Virus processes

tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe
jork_0_typ_col.exe
vsdsrv32.exe
Protector-[rnd].exe
Inspector-[rnd].exe

Remove FBI Porn Scam Virus registry entries

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

Remove FBI Porn Scam Virus DLL files

%Program Files%\FBI Moneypak Virus
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[random].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe

Related References:
http://malware.fm/blog/remove-fbi-virus/
http://malware.fm/category.html

No Comments

Leave a Comment