The FBI today warned of Internet-borne malware masquerading as a message from the law enforcement agency that locks computers until the user pays a fine for allegedly downloading and/or distributing illegal content.

“We’re getting inundated with complaints,” Donna Gregory of the Internet Crime Complaint Center (IC3), said in a prepared statement, referring to an uptick in callers complaining that an FBI message froze their computers.

The malicious code is the Reveton virus, used in conjunction with the Citadel malware platform, that first came to the FBI’s attention in 2011. The agency’s IC3 issued an alert in May 2012 to warn consumers of the ransomware, which in some forms even turns on computer webcams to show the victim’s picture on the frozen screen.

When someone visits a compromised Web site, the malware installs and immediately locks down the machine while replacing the monitor screen with a fake FBI warning that the user’s IP address has been linked to child pornography sites or other illegal online activity. The language is one tip-off the message may not be legitimate.

For instance, one screen-captured message cites “Article 1, Section 8, Clause 8, also known as the Copyright of the Criminal Code of United States of America.” It claims this law allows  “a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.” Another violation of the Criminal Code reportedly allows “deprivation of liberty for four to twelve years” for viewing or distributing “Child Porno/Zoofilia and etc.” Still another results in up to $100,000 in fines and nine years of prison.

The targeted machine will remain inoperable until a fine is paid to the U.S. Department of Justice using a prepaid money card service, according to the bogus message. The vendor for payments depends on the geographic location of the IP address. Users are urged to comply to avoid criminal charges.

“Some people have actually paid the so-called fine,” Gregory said. She added that full removal of Reveton and Citadel likely will require expert assistance.

Those consumers who do manage to unlock their machines, IC3 warns, should remain on alert since the malware may still be present and capturing personal data through a keystroke logger to commit online banking and credit card fraud.

Categories: Malware

Comments (5)

  1. Anonymous
    1

    To clean this virus, simply boot into “safe mode with networking” by holding down F8 on your computer while it is booting. Then run your antivirus program. It will remove most of it. If you don’t have an AV program run MRT (Malware Removal Tool) which is on most later modle Windows based machines). This will not remove it all. Then download Malware Bytes and run that. This is not a root kit but a presistant screen redirector. Finally preform a complete scan using something like Microsoft’s Security Essentials. These three programs I mention are all free. MRT is on the computer already (make sure you have the latest as MRT is updated every month.)

  2. Anonymous
    2

    Just got struck by the virus. Just exactly like the article describes. I am on hold with my cable company Comcast and they have re-directed me to Norton’s antivirus company.

  3. Anonymous
    3

    Just got hit by a new vertion. 

    But I booted into safe mode and Microsoft security essentials is cleaning most of this out

  4. Dan da Man
    4

    My laptop got struck with that virus. After doing some research with my iPad I followed these steps and it worked.

    1. Disconnect your Internet connection

    2. Restart your PC/laptop

    3. Click Start/ Accessories/System tools/ System Restore

    4. Follow instructions then wait.

    5. Restart your PC/laptop 

    6. Run your antivirus program (select the most thorough mode)

    7. Reconnect your Internet connection 

    Note that you must had done a Restore point prior to your computer’s virus infection. Mine did the day before it got infected, so I was successful in getting rid of the virus. I hope this will help anyone who goes through this.

Comments are closed.