Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › How does the FBI Virus work?
New Posts  All Forums:Forum Nav:

How does the FBI Virus work?

post #1 of 6
Thread Starter 
I know how to remove it with combofix and all that crap. I am just wanting to know how it works. I have been able to remove other scareware crap from computers by deleting its EXE in the appdata folder.. But i was never able to find any file related to it in the user's folder. Is this virus just embedded and hidden in windows or what?
Go Skate
(19 items)
 
  
CPUMotherboardGraphicsRAM
intel i5 7600k Asus TUF Z270 Mark 2 NVIDIA GTX 1060 16 GB 2400 DDR4  
Hard DriveHard DriveHard DriveCooling
Samsung 2.5-inch SSD 840 Seagate 2 TB 7200 RPM 32MB Cache 4 500GB HDDs in RAID 10  DeepCool PWM Fan GAMMAXX 300 
OSMonitorKeyboardPower
Windows 10 Pro HP LA2405wg Corsair K90 Mechanical Red Switch 910 watt PC Power and Cooling 
CaseMouseMouse PadAudio
Coolermaster Elite Razer Naga Steel Series SC2 Edition Senheisser 
AudioAudio
Razer Kraken Steelseries Siberia v3 
  hide details  
Reply
Go Skate
(19 items)
 
  
CPUMotherboardGraphicsRAM
intel i5 7600k Asus TUF Z270 Mark 2 NVIDIA GTX 1060 16 GB 2400 DDR4  
Hard DriveHard DriveHard DriveCooling
Samsung 2.5-inch SSD 840 Seagate 2 TB 7200 RPM 32MB Cache 4 500GB HDDs in RAID 10  DeepCool PWM Fan GAMMAXX 300 
OSMonitorKeyboardPower
Windows 10 Pro HP LA2405wg Corsair K90 Mechanical Red Switch 910 watt PC Power and Cooling 
CaseMouseMouse PadAudio
Coolermaster Elite Razer Naga Steel Series SC2 Edition Senheisser 
AudioAudio
Razer Kraken Steelseries Siberia v3 
  hide details  
Reply
post #2 of 6
Quote:
Originally Posted by jonespwns View Post

I know how to remove it with combofix and all that crap. I am just wanting to know how it works. I have been able to remove other scareware crap from computers by deleting its EXE in the appdata folder.. But i was never able to find any file related to it in the user's folder. Is this virus just embedded and hidden in windows or what?

Different variants load in different places. Most recently, I've been seeing the program actually opens a command prompt at login, which will show the executable's file path in plain view. I'd say 90% of the infections I see for this load somewhere within the user's profile. Most of the time it's in AppData\Local, but more recently I've seen it just chilling in the Downloads folder. Seemingly random alphanumeric sequence for a name, fairly easy to spot.

Reason most AVs don't touch it, is it isn't technically malicious. I've yet to see one actually futz with system files or user data in any way. It just blocks out explorer.exe, and presents a fullscreen window.
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
post #3 of 6
Thread Starter 
Ok cool thanks! The computer i'm working on right now has XP on it and I'm not seeing a local folder nor is the file in appdata or downloads. I thought I would just screw around and see if I could actually find it. I'll just get back to running NPE to actually remove it lol.



EDIT: Norton Power Eraser found the file and it was a file called SKYPE.DAT. Apparently it is disguising its self as a skype file?
Edited by jonespwns - 5/30/13 at 11:40am
Go Skate
(19 items)
 
  
CPUMotherboardGraphicsRAM
intel i5 7600k Asus TUF Z270 Mark 2 NVIDIA GTX 1060 16 GB 2400 DDR4  
Hard DriveHard DriveHard DriveCooling
Samsung 2.5-inch SSD 840 Seagate 2 TB 7200 RPM 32MB Cache 4 500GB HDDs in RAID 10  DeepCool PWM Fan GAMMAXX 300 
OSMonitorKeyboardPower
Windows 10 Pro HP LA2405wg Corsair K90 Mechanical Red Switch 910 watt PC Power and Cooling 
CaseMouseMouse PadAudio
Coolermaster Elite Razer Naga Steel Series SC2 Edition Senheisser 
AudioAudio
Razer Kraken Steelseries Siberia v3 
  hide details  
Reply
Go Skate
(19 items)
 
  
CPUMotherboardGraphicsRAM
intel i5 7600k Asus TUF Z270 Mark 2 NVIDIA GTX 1060 16 GB 2400 DDR4  
Hard DriveHard DriveHard DriveCooling
Samsung 2.5-inch SSD 840 Seagate 2 TB 7200 RPM 32MB Cache 4 500GB HDDs in RAID 10  DeepCool PWM Fan GAMMAXX 300 
OSMonitorKeyboardPower
Windows 10 Pro HP LA2405wg Corsair K90 Mechanical Red Switch 910 watt PC Power and Cooling 
CaseMouseMouse PadAudio
Coolermaster Elite Razer Naga Steel Series SC2 Edition Senheisser 
AudioAudio
Razer Kraken Steelseries Siberia v3 
  hide details  
Reply
post #4 of 6
had this too, only thing that would remove it for me was malwarebytes
post #5 of 6
Quote:
Originally Posted by jonespwns View Post

Ok cool thanks! The computer i'm working on right now has XP on it and I'm not seeing a local folder nor is the file in appdata or downloads. I thought I would just screw around and see if I could actually find it. I'll just get back to running NPE to actually remove it lol.



EDIT: Norton Power Eraser found the file and it was a file called SKYPE.DAT. Apparently it is disguising its self as a skype file?

Could be. Every malware infection is a little different in the way the bug presents itself. That's part of the fun.
    
CPUMotherboardGraphicsRAM
2x intel Xeon E5-2650 Supermicro MBD-X9DR3-F-O Onboard awesomeness 8 x 8GB Kingston DDR3 1333 ECC 
Hard DriveCoolingOSMonitor
4x WD Green 2TB in RAID 10 2x Coolermaster Hyper 212 EVOs Windows Server 2012 Datacenter 3x Dell Ultrasharp U2410s 
PowerCase
Corsair AX1200 Case Labs TX10-D 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
2x intel Xeon E5-2650 Supermicro MBD-X9DR3-F-O Onboard awesomeness 8 x 8GB Kingston DDR3 1333 ECC 
Hard DriveCoolingOSMonitor
4x WD Green 2TB in RAID 10 2x Coolermaster Hyper 212 EVOs Windows Server 2012 Datacenter 3x Dell Ultrasharp U2410s 
PowerCase
Corsair AX1200 Case Labs TX10-D 
  hide details  
Reply
post #6 of 6
Thread Starter 
It's sorta funny cause I saw skype.dat and i was like hmm. That probably isn't it... So now I know straight up if it's suspicious to delete it. I shoulda known there would be no reason for a random DAT file to be in appdata without a real folder. Especially one called skype lol
Go Skate
(19 items)
 
  
CPUMotherboardGraphicsRAM
intel i5 7600k Asus TUF Z270 Mark 2 NVIDIA GTX 1060 16 GB 2400 DDR4  
Hard DriveHard DriveHard DriveCooling
Samsung 2.5-inch SSD 840 Seagate 2 TB 7200 RPM 32MB Cache 4 500GB HDDs in RAID 10  DeepCool PWM Fan GAMMAXX 300 
OSMonitorKeyboardPower
Windows 10 Pro HP LA2405wg Corsair K90 Mechanical Red Switch 910 watt PC Power and Cooling 
CaseMouseMouse PadAudio
Coolermaster Elite Razer Naga Steel Series SC2 Edition Senheisser 
AudioAudio
Razer Kraken Steelseries Siberia v3 
  hide details  
Reply
Go Skate
(19 items)
 
  
CPUMotherboardGraphicsRAM
intel i5 7600k Asus TUF Z270 Mark 2 NVIDIA GTX 1060 16 GB 2400 DDR4  
Hard DriveHard DriveHard DriveCooling
Samsung 2.5-inch SSD 840 Seagate 2 TB 7200 RPM 32MB Cache 4 500GB HDDs in RAID 10  DeepCool PWM Fan GAMMAXX 300 
OSMonitorKeyboardPower
Windows 10 Pro HP LA2405wg Corsair K90 Mechanical Red Switch 910 watt PC Power and Cooling 
CaseMouseMouse PadAudio
Coolermaster Elite Razer Naga Steel Series SC2 Edition Senheisser 
AudioAudio
Razer Kraken Steelseries Siberia v3 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Windows
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › How does the FBI Virus work?