What is the “FBI virus”?
The “FBI virus” is a form of ransomware that locks computer systems, and is identified by Thirtyseven4 Antivirus as ‘FBI Moneypak’ [other vendor names include Citadel, Reveton]. FBI Moneypak alleges that an infected computer user has been involved in illegal activity (downloaded and/or distributed copyrighted material or viewed child pornography, etc.) and demands a penalty of $100 or $200 be paid by use of Moneypak cards to unlock the system within the allotted time of 72 hours. It also falsely states that the user will face jail time and prosecution by the FBI if the fine is not paid in time.
An example screenshot is shown below:
* Additional screenshots are located at the bottom of this page
What is Ransomware?
Ransomware is malicious software that restricts access to a computer until a ransom is paid. In this case, the payment was to be in the form of Moneypak cards.
Is ransomware a new technique used by cybercriminals?
No. Ransomware has been around for a long time. In fact, last month our virus team highlighted the growing threat of fake FBI notices in the United States, most of these threats resulted in ransomware installing after analysis on the threats were conducted. However, it appears that within recent days the number of variants of this scam has increased drastically.
How is a user infected with FBI Moneypak?
FBI Moneypak enters a machine when a user visits a malicious [compromised] drive-by download page. Once the malware enters the system, a page is displayed that states the machine is locked down by the FBI for various reasons.
What problems can FBI Moneypak cause?
- Users are likely to experience slower systems and notable instability situations
- It can terminate antivirus, antispyware and other types of related security software
- Freezing or locking of the entire computer system
- May obtain login names, personal information, passwords and other confidential information without user knowledge or consent
- Disclosure of personal information
- Encrypts the user’s personal documents and deletes the original files
- Hides files required to properly remove the malware
- Demands a ransom via a message on the screen
Is it possible to manually remove FBI Moneypak?
Yes, Thirtyseven4 recommends the following steps to properly remove FBI Moneypak.
STEP 1: Restart your computer
STEP 2: Press F8 immediately after the system restarts and before the Windows screen resumes. You will now see the ‘Windows Advanced Boot Options’.
STEP 3: Use the UP arrow key to navigate to “Safe mode with command prompt” and press the Enter key.
STEP 4: Now type “explorer.exe” in the command prompt window and press the Enter key.
STEP 5: Find the following files in the “Startup” or “Application Data” folder:
C:\Documents and Settings\AllUsers\StartMenu\Programs\Startup\Ctfmon.lnk
C:\Documents and Settings\User\Application Data\msconfig.dat
C:\Documents and Settings\User\Application Data\msconfig.ini
STEP 6: Delete the ‘Ctfmon.lnk’ OR ‘msconfig.dat’ OR ‘msconfig.ini’
STEP 7: Reboot the system again, this time in Normal Mode. After the system restarts run a full system scan with your current antivirus solution to remove any other remaining files.
If your current antivirus solution doesn’t find any of the remaining traces, we suggest that you temporarily uninstall your existing solution and install a trial license of Thirtyseven4 Antivirus.
Following these steps above will help you remove this malware from your machine and protect you from the FBI Moneypak virus.
Thirtyseven4 Antivirus users are fully updated to protect against such a threat.
Screenshots of variations of the FBI Scam:
 | 
