Page 1 of 2

LM was infected by FBI MoneyPak virus.. Need help! [SOLVED]

Posted: Mon Aug 26, 2013 11:44 am
by amtex
I think that my LinuxMint system was infected by so called FBI MoneyPak virus. It happened that I have both Windows XP and LinuxMint on my laptop. So since I don't have any anti-virus program installed on Linux partition, I thought that I could probably scan the Linux from my WinXp partition. WindowsXp works fine so far. What would you recommend? How can I remove the virus. Thanks.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 11:52 am
by excollier
Install and run Clam av in Mint.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 12:03 pm
by karlchen
Hello, amtex.

Irrespective of the fact that following excollier's advice to install and run ClamAV is a good idea, I would like to ask one question:
I think that my LinuxMint system was infected by so called FBI MoneyPak virus.
What are the symptoms that tell you your Mint system has been infected by the FBI MoneyPak virus? Whatever one finds about it in the web all seems to suggest that FBI MoneyPak can only run on Windows systems.

Kind regards,
Karl

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 12:24 pm
by daveinuk
That was going to be my question too . . . . . . . and how would it possibly have managed to infect anything? Do you run as root normally?

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 12:29 pm
by amtex
Thanks excollier, I'll see if I can do that.

Hi Karl, while I was browsing the internet the screen was blocked and the "FBI warning page" loaded with the MoneyPak payment option of $300. I research the internet and find out that this thing happened to many other users but never see anyone with the Linux having this problem either. Interestingly as I said I have Win XP on the other partition and it seems to work fine, I scanned it with Avast, it didn't find anything.

I wonder if I could somehow scan the Linux part of the HDD with Avast that I have on Windows part...

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 12:43 pm
by WharfRat
amtex,

Just to clarify what you just alluded to are you saying that you have no problems when browsing in XP, but in linux you get the "FBI warning page" :?:

In linux what browser do you use :?:

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 3:30 pm
by amtex
No problem in Win XP. In Linux no problem until I get to the tab with that FBI warning page. As soon as I get there the browser locks. I am using Firefox in Linux.

I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 4:30 pm
by nomko
amtex wrote:No problem in Win XP. In Linux no problem until I get to the tab with that FBI warning page. As soon as I get there the browser locks. I am using Firefox in Linux.

I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?
Open a terminal and type the following command:

Code: Select all

sudo apt-get install clamav clamtk
And yes, you need the "Unix version" since Linux is a Unix-like operating system.

I find it real strange that under XP you don't have any problems but with Linux you get problems since it's a Windows virus.... :?:

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 4:44 pm
by Reorx
My 2 cents...

FBI MoneyPak sounds like a browser hijacker. As such, it can attack any vulnerable browser.

First, don't log in and use computer as root.

Second, consider running a FireFox add-on called NoScript.

Third, When you open Firefox, on the menubar click Edit > Preferences > Advanced > Network > Settings. What are your proxy settings? If you don't need a proxy, try "No Proxy" if it is not already selected.

Another approach might be to create another user and log is as that user and use the browser and see what happens. (install NoScript first)...

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 4:52 pm
by WharfRat
amtex,

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.

Code: Select all

mv .mozilla/  .mozilla.save/

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 5:00 pm
by Reorx
WharfRat wrote:amtex,

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.

Code: Select all

mv .mozilla/  .mozilla.save/
Faster and easier than my last suggestion of creating another user... NICE move! Why didn't I think of that?!?!? (LOL) :lol:

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 5:03 pm
by WharfRat
Reorx wrote:
WharfRat wrote:amtex,

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.

Code: Select all

mv .mozilla/  .mozilla.save/
Faster and easier than my last suggestion of creating another user... NICE move! Why didn't I think of that?!?!? (LOL) :lol:
That's because I thought of it second :lol:

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 5:12 pm
by karlchen
Hi, amtex.

I partially understand. :)
Even on Mint using Firefox you can visit a webpage that has been manipulated to deliver malware like the FBI MoneyPak ransomware.
As long as you do not boot to Windows and visit the same webpage it is likely that your Windows installation remains clean.
On Mint I would proceed like this:
  • Launch Firefox. Clean the complete browser history including the cache. Tick all offerend items in the "recent history delete" dialogue. Make sure you select to delete everything, not just the past few hours or days.
  • Provided Java has been installed on Mint, inside Firefox disable any Java plugin, no matter whether it is an IcedTea plugin or the genuine Oracle Java plugin, disable it.
    I assume that the FBI MoneyPak ransomware might be similar to the BKA ransomware that can be found in Germany. (The BKA might be considered the German equivalent of the FBI, sort of.) The BKA ransomware uses a Java browser plugin security vulnerability in order to infect Windows computers. I have not bothered to try and find out whether this vulnerability which is present in the Java browser plugin will allow this kind of ransomware to function partially on Mint as well.
    This is why disabling any Java plugin, in particular if you are still using Java v1.6_something, is highly recommended.
  • Unless you willingly go to the webpage where you met the FBI MoneyPak ransomware, no fake FBI warning should re-appear.
    Provided the assumption about the dependency on a vulnerable Java plugin applies, even a manipulated webpage should not be able to misuse Firefox any longer.
And about the question whether the Windows software Avast can be used to scan the Mint filesystems: no, it cannot. The reason simply is that Windows XP cannot read EXT2, EXT3 or EXT4 filesystems out of the box. You need some third party software to enable Windows XP to do so.

So downloading, installing and using ClamAV (commandline scanner) plus ClamTK (the appropriate GUI for ClamAV), as recommended before, will be the right way for a Mint system. You might also like to use rkhunter (commandline only). All 3 can be got from the Mint/Ubuntu repositories. And in case you experience problem doing so with the help of the Software Manager, you may always resort to Synaptic package manager.

Kind regards,
Karl
--
[corrected]: addressed the wron person, foolish me. amtex started this thread.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Mon Aug 26, 2013 5:20 pm
by Spearmint2
you can put about:support in the location line and see if there's a reset button there which returns FF to default settings.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Tue Aug 27, 2013 3:28 am
by amtex
Thanks guys for all help, it seems that it was just a browser hijacker. Everything seems to work fine now, I hope nothing will show up later. I don't know what of the following has worked for me but I did almost everything recommended here in the order below:

- Opened Firefox
- Cleared cache, cookies and history
- Disabled Java plug-ins
- Changed FF settings to 'no proxy'
- Tried to move .mozilla/ folder to mozilla.save/ as per instruction (I don't know though if it actually moved, since I don't know how to check that)
- Installed ClamAv and ClamTk and scanned the system. No threats were found.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Tue Aug 27, 2013 8:47 am
by Reorx
Consider browser add-ons (aka - "an ounce of prevention" :) ) >>>

NoScript - http://noscript.net/

WOT - http://www.mywot.com/en/aboutus

To check to see if the move worked, open your file manager. On the menubar click View > Show hidden files. You should see a folder called .mozilla.save (if the move worked).

The effect of the move is >>> Firefox saves everything (for each user) regarding the browser settings, history, cookies, etc. in a folder called ".mozilla". Firefox creates this folder the first time it is started for any user. If you move this folder to a different location (or rename it) and then open Firefox - Firefox looks for the folder .mozilla and if it doesn't find it, it will create a new one (using the default settings). The good news is that the new profile is not "infected"... the bad news is that the new profile doesn't have any of the bookmarks, useful cookies, history, etc. from the old profile. It's double edged - but it works...

You can also switch back and forth between the new profile and the old profile... to go back, rename .mozilla to .mozilla.new and then rename .mozilla.save to .mozilla - going back to the new profile is the same process in reverse (.mozilla > .mozilla.old then .mozilla.new > .mozilla). I have a tendency to use the extension .old when I rename things (helps me keep track of what's what) so I would call the original profile .mozilla.old. You can rename the folder from the command line (terminal) or through the file manager (GUI) - it's your choice.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Wed Aug 28, 2013 1:47 am
by amtex
Reorx, it actually moved. There is a .mozilla.save folder in there.
Thanks again.

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Posted: Wed Aug 28, 2013 8:49 am
by Reorx
You're welcome... Enjoy the Mint! :D

P.S.: Don't forget to edit your thread title to include [solved]... :wink:

Re: LM was infected by FBI MoneyPak virus.. Need help! [SOLV

Posted: Thu Aug 29, 2013 11:53 pm
by OzoneDev
The FBI lock on Linux just locks down your browser session so you can't exit, search, change settings etc.. If you have your browser setup to not save anything you can just restart your computer..

Re: LM was infected by FBI MoneyPak virus.. Need help! [SOLV

Posted: Fri Aug 30, 2013 11:55 pm
by amtex
OzoneDev wrote:The FBI lock on Linux just locks down your browser session so you can't exit, search, change settings etc.. If you have your browser setup to not save anything you can just restart your computer..
Thanks Ozonedev, will keep that in mind.