LM was infected by FBI MoneyPak virus.. Need help! [SOLVED]

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
amtex
Level 1
Level 1
Posts: 18
Joined: Mon Aug 26, 2013 11:21 am

LM was infected by FBI MoneyPak virus.. Need help! [SOLVED]

Post by amtex »

I think that my LinuxMint system was infected by so called FBI MoneyPak virus. It happened that I have both Windows XP and LinuxMint on my laptop. So since I don't have any anti-virus program installed on Linux partition, I thought that I could probably scan the Linux from my WinXp partition. WindowsXp works fine so far. What would you recommend? How can I remove the virus. Thanks.
Last edited by amtex on Tue Aug 05, 2014 3:59 pm, edited 2 times in total.
User avatar
excollier
Level 4
Level 4
Posts: 454
Joined: Mon Oct 01, 2012 3:31 pm
Location: Donegal, Ireland

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by excollier »

Install and run Clam av in Mint.
Registered Linux user #557695
Mint 17.3 XFCE &Debian 9.1 XFCE dual boot (desktop), Raspbian Jessie (Raspberry Pi)
Windows 10 VM (I know) so I can work from home.
User avatar
karlchen
Level 21
Level 21
Posts: 13509
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by karlchen »

Hello, amtex.

Irrespective of the fact that following excollier's advice to install and run ClamAV is a good idea, I would like to ask one question:
I think that my LinuxMint system was infected by so called FBI MoneyPak virus.
What are the symptoms that tell you your Mint system has been infected by the FBI MoneyPak virus? Whatever one finds about it in the web all seems to suggest that FBI MoneyPak can only run on Windows systems.

Kind regards,
Karl
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)
User avatar
daveinuk
Level 7
Level 7
Posts: 1555
Joined: Tue Mar 23, 2010 7:52 pm
Location: Manchester, England.
Contact:

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by daveinuk »

That was going to be my question too . . . . . . . and how would it possibly have managed to infect anything? Do you run as root normally?
amtex
Level 1
Level 1
Posts: 18
Joined: Mon Aug 26, 2013 11:21 am

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by amtex »

Thanks excollier, I'll see if I can do that.

Hi Karl, while I was browsing the internet the screen was blocked and the "FBI warning page" loaded with the MoneyPak payment option of $300. I research the internet and find out that this thing happened to many other users but never see anyone with the Linux having this problem either. Interestingly as I said I have Win XP on the other partition and it seems to work fine, I scanned it with Avast, it didn't find anything.

I wonder if I could somehow scan the Linux part of the HDD with Avast that I have on Windows part...
User avatar
WharfRat
Level 21
Level 21
Posts: 13909
Joined: Thu Apr 07, 2011 8:15 pm

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by WharfRat »

amtex,

Just to clarify what you just alluded to are you saying that you have no problems when browsing in XP, but in linux you get the "FBI warning page" :?:

In linux what browser do you use :?:
ImageImage
amtex
Level 1
Level 1
Posts: 18
Joined: Mon Aug 26, 2013 11:21 am

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by amtex »

No problem in Win XP. In Linux no problem until I get to the tab with that FBI warning page. As soon as I get there the browser locks. I am using Firefox in Linux.

I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?
nomko

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by nomko »

amtex wrote:No problem in Win XP. In Linux no problem until I get to the tab with that FBI warning page. As soon as I get there the browser locks. I am using Firefox in Linux.

I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?
Open a terminal and type the following command:

Code: Select all

sudo apt-get install clamav clamtk
And yes, you need the "Unix version" since Linux is a Unix-like operating system.

I find it real strange that under XP you don't have any problems but with Linux you get problems since it's a Windows virus.... :?:
Last edited by nomko on Mon Aug 26, 2013 5:43 pm, edited 1 time in total.
User avatar
Reorx
Level 12
Level 12
Posts: 4031
Joined: Tue Jul 07, 2009 7:14 pm
Location: SE Florida, USA

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by Reorx »

My 2 cents...

FBI MoneyPak sounds like a browser hijacker. As such, it can attack any vulnerable browser.

First, don't log in and use computer as root.

Second, consider running a FireFox add-on called NoScript.

Third, When you open Firefox, on the menubar click Edit > Preferences > Advanced > Network > Settings. What are your proxy settings? If you don't need a proxy, try "No Proxy" if it is not already selected.

Another approach might be to create another user and log is as that user and use the browser and see what happens. (install NoScript first)...
Full time Linux Mint user since 2011 - Currently running mostly LM19C and a little LM20C.

Image Image Image
User avatar
WharfRat
Level 21
Level 21
Posts: 13909
Joined: Thu Apr 07, 2011 8:15 pm

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by WharfRat »

amtex,

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.

Code: Select all

mv .mozilla/  .mozilla.save/
ImageImage
User avatar
Reorx
Level 12
Level 12
Posts: 4031
Joined: Tue Jul 07, 2009 7:14 pm
Location: SE Florida, USA

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by Reorx »

WharfRat wrote:amtex,

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.

Code: Select all

mv .mozilla/  .mozilla.save/
Faster and easier than my last suggestion of creating another user... NICE move! Why didn't I think of that?!?!? (LOL) :lol:
Full time Linux Mint user since 2011 - Currently running mostly LM19C and a little LM20C.

Image Image Image
User avatar
WharfRat
Level 21
Level 21
Posts: 13909
Joined: Thu Apr 07, 2011 8:15 pm

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by WharfRat »

Reorx wrote:
WharfRat wrote:amtex,

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.

Code: Select all

mv .mozilla/  .mozilla.save/
Faster and easier than my last suggestion of creating another user... NICE move! Why didn't I think of that?!?!? (LOL) :lol:
That's because I thought of it second :lol:
ImageImage
User avatar
karlchen
Level 21
Level 21
Posts: 13509
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by karlchen »

Hi, amtex.

I partially understand. :)
Even on Mint using Firefox you can visit a webpage that has been manipulated to deliver malware like the FBI MoneyPak ransomware.
As long as you do not boot to Windows and visit the same webpage it is likely that your Windows installation remains clean.
On Mint I would proceed like this:
  • Launch Firefox. Clean the complete browser history including the cache. Tick all offerend items in the "recent history delete" dialogue. Make sure you select to delete everything, not just the past few hours or days.
  • Provided Java has been installed on Mint, inside Firefox disable any Java plugin, no matter whether it is an IcedTea plugin or the genuine Oracle Java plugin, disable it.
    I assume that the FBI MoneyPak ransomware might be similar to the BKA ransomware that can be found in Germany. (The BKA might be considered the German equivalent of the FBI, sort of.) The BKA ransomware uses a Java browser plugin security vulnerability in order to infect Windows computers. I have not bothered to try and find out whether this vulnerability which is present in the Java browser plugin will allow this kind of ransomware to function partially on Mint as well.
    This is why disabling any Java plugin, in particular if you are still using Java v1.6_something, is highly recommended.
  • Unless you willingly go to the webpage where you met the FBI MoneyPak ransomware, no fake FBI warning should re-appear.
    Provided the assumption about the dependency on a vulnerable Java plugin applies, even a manipulated webpage should not be able to misuse Firefox any longer.
And about the question whether the Windows software Avast can be used to scan the Mint filesystems: no, it cannot. The reason simply is that Windows XP cannot read EXT2, EXT3 or EXT4 filesystems out of the box. You need some third party software to enable Windows XP to do so.

So downloading, installing and using ClamAV (commandline scanner) plus ClamTK (the appropriate GUI for ClamAV), as recommended before, will be the right way for a Mint system. You might also like to use rkhunter (commandline only). All 3 can be got from the Mint/Ubuntu repositories. And in case you experience problem doing so with the help of the Software Manager, you may always resort to Synaptic package manager.

Kind regards,
Karl
--
[corrected]: addressed the wron person, foolish me. amtex started this thread.
Last edited by karlchen on Mon Aug 26, 2013 6:23 pm, edited 1 time in total.
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)
User avatar
Spearmint2
Level 16
Level 16
Posts: 6892
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by Spearmint2 »

you can put about:support in the location line and see if there's a reset button there which returns FF to default settings.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
amtex
Level 1
Level 1
Posts: 18
Joined: Mon Aug 26, 2013 11:21 am

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by amtex »

Thanks guys for all help, it seems that it was just a browser hijacker. Everything seems to work fine now, I hope nothing will show up later. I don't know what of the following has worked for me but I did almost everything recommended here in the order below:

- Opened Firefox
- Cleared cache, cookies and history
- Disabled Java plug-ins
- Changed FF settings to 'no proxy'
- Tried to move .mozilla/ folder to mozilla.save/ as per instruction (I don't know though if it actually moved, since I don't know how to check that)
- Installed ClamAv and ClamTk and scanned the system. No threats were found.
User avatar
Reorx
Level 12
Level 12
Posts: 4031
Joined: Tue Jul 07, 2009 7:14 pm
Location: SE Florida, USA

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by Reorx »

Consider browser add-ons (aka - "an ounce of prevention" :) ) >>>

NoScript - http://noscript.net/

WOT - http://www.mywot.com/en/aboutus

To check to see if the move worked, open your file manager. On the menubar click View > Show hidden files. You should see a folder called .mozilla.save (if the move worked).

The effect of the move is >>> Firefox saves everything (for each user) regarding the browser settings, history, cookies, etc. in a folder called ".mozilla". Firefox creates this folder the first time it is started for any user. If you move this folder to a different location (or rename it) and then open Firefox - Firefox looks for the folder .mozilla and if it doesn't find it, it will create a new one (using the default settings). The good news is that the new profile is not "infected"... the bad news is that the new profile doesn't have any of the bookmarks, useful cookies, history, etc. from the old profile. It's double edged - but it works...

You can also switch back and forth between the new profile and the old profile... to go back, rename .mozilla to .mozilla.new and then rename .mozilla.save to .mozilla - going back to the new profile is the same process in reverse (.mozilla > .mozilla.old then .mozilla.new > .mozilla). I have a tendency to use the extension .old when I rename things (helps me keep track of what's what) so I would call the original profile .mozilla.old. You can rename the folder from the command line (terminal) or through the file manager (GUI) - it's your choice.
Full time Linux Mint user since 2011 - Currently running mostly LM19C and a little LM20C.

Image Image Image
amtex
Level 1
Level 1
Posts: 18
Joined: Mon Aug 26, 2013 11:21 am

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by amtex »

Reorx, it actually moved. There is a .mozilla.save folder in there.
Thanks again.
User avatar
Reorx
Level 12
Level 12
Posts: 4031
Joined: Tue Jul 07, 2009 7:14 pm
Location: SE Florida, USA

Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h

Post by Reorx »

You're welcome... Enjoy the Mint! :D

P.S.: Don't forget to edit your thread title to include [solved]... :wink:
Full time Linux Mint user since 2011 - Currently running mostly LM19C and a little LM20C.

Image Image Image
OzoneDev
Level 1
Level 1
Posts: 1
Joined: Thu Aug 29, 2013 11:37 pm

Re: LM was infected by FBI MoneyPak virus.. Need help! [SOLV

Post by OzoneDev »

The FBI lock on Linux just locks down your browser session so you can't exit, search, change settings etc.. If you have your browser setup to not save anything you can just restart your computer..
amtex
Level 1
Level 1
Posts: 18
Joined: Mon Aug 26, 2013 11:21 am

Re: LM was infected by FBI MoneyPak virus.. Need help! [SOLV

Post by amtex »

OzoneDev wrote:The FBI lock on Linux just locks down your browser session so you can't exit, search, change settings etc.. If you have your browser setup to not save anything you can just restart your computer..
Thanks Ozonedev, will keep that in mind.
Post Reply

Return to “Newbie Questions”