The Anatomy of a Virus

The most common virus in the wild is called the Department of Justice Virus. The virus locks your computer and requests a bounty of $300 to unlock your computer and avoid government prosecution. The stories are many that have been infected and I personally have helped 4 friends and relatives (including my wife) get rid of this virus. It is polymorphic which means that no modern anti virus software can stop it from executing. It primarily enters the computer silently through a Java exploit.

Once infected, the computer is essentially useless. You can no longer execute any programs and the virus reappears after a reboot. Fortunately, it does not reappear in Safe Mode. The key to remove the virus is to reboot and Hit F8 constantly until you enter into Safe Mode. Once in Safe Mode, then try removing it using a standard AV product. Note: Since the virus is polymorphic, many AV products will not be able to remove it but you need to keep on trying.

Since the system is locked, there is not a way to get a high quality image of the virus. Many have taken camera photos of the virus, but we decided to make a high quality replicate of the virus so all the text is legible. We learned a lot by replicating the virus and hopefully you will too!

dojvirusreplicaReplication of the DOJ virus. Click to see full resolution

The first thing to notice is that the virus uses the actual seal from the Department of Justice. This is a second generation virus. Before the DOJ, the bad guys used the FBI logo. Let’s ponder this. It is certainly illegal to use these logos for non governmental purposes and they are essentially flipping their nose at the government. After all, who would be responsible for finding and punishing these people? That would be the Department of Justice and the FBI.

The DOJ “penalty” is $300. The FBI virus was charging $200 in mid 2012 and I happened to see a DOJ virus late last year for only $250. What is clear is that they are raising their prices and testing the elasticity of their market place.

As a marketing guy, it is stunning how brazen they are. They actually have a little photo of a wallet with money in it. They make no bones of the fact that they want your money! Wow!

The virus carefully details the laws that were broken focusing on child pornography and illegal copyrighted downloads. This is ingenious because most people are embarrassed to have these violations alleged against them even if they are not true. I tried to find these articles and they don’t exist. Of course, a victim would struggle to figure this out since they no longer have access to the internet.

Many people assume that the viruses are spread through pornography and illegal download sites. This is not true. The virus writers attack all kinds of web sites that happen to include pornography and download sites. We’ll have another article on how the virus writers can infect a perfectly innocent web site.

Here’s the big one. Through the same Java exploit, they also have figured out a way to turn on your web cam and display your face on the violation page. As a marketing guy myself, you really have to give these guys their props. Most people when carefully considering the facts will not fall for the DOJ virus. Now with your very own face being recorded and displayed on the page, it might be enough to shock enough people into paying the bounty.

We encourage everyone to read every word of the DOJ virus. If you do, you will find that much of the English is not quite right. You understand it but no one would talk or write that way. They are still working out the bumps. It is clear that they are incrementally improving their product and soon the English will be flawless.

As we were doing our research, we discovered another shocking fact. The DOJ virus has been translated into Swedish, German, Italian, French, Spanish and many other languages that I am not able to easily identify. I had assumed that since it has a DOJ logo that it was strictly an American virus. In addition to translating the virus into other languages, they had to change the enforcement agency, the legaleeze, and of course the method of payment.

The virus is global. Our replicate is just a snap shot in time. As I write this,, I am sure that they are improving their product. Please look carefully at the replicate so you can get a sense on their methods and motivations so that you can avoid getting caught in their net.

(Visited 38 times, 1 visits today)

31 thoughts on “The Anatomy of a Virus

  1. Had to remove it from a couple of customers pcs. lots of fun no safe mode, no system restore. connect as second drive gave only access.

  2. I appreciate that Pit Stop reports on these Viruses but sometimes wonder what constitutes the underlying level of expertise by many of the authors of these articles.

    I also find SO many solutions (googed or otherwise) are just marketing attempts for some AV Vendor.

    This particular virus DID initially through me for a loop. My solution was to boot into an Alternative OS on the same hardware and nuke a Startup file.

    Simple enough solution but no easy ones I found when booting into the infected OS—Safe Mode avails nothing.

  3. I just tried to clean this out without taking out the hard drive, but I couldn’t figure out a way. So using a SATA to USB cable, I ran Malwarebytes Antimalware on the drive from my laptop. It found and cleaned several trojans. I downloaded MBAM, CCleaner, and an antivirus program. I was then able to boot from the original computer and complete the cleaning.

    This is one of the tougher infections I’ve dealt with. Yikes! And I’m not holding my breath for this trend to get any better.

    Good luck!

  4. I don't understand. Since they use the DOJ logo, which is fraudulent, and there is a pay point, it should be child's play for the DOJ, CIA, FBI or Interpol to get at these guys.

  5. My husband got this virus and it was present even in Safe mode. There is a virus product called Hitman Pro, you make a thumb drive after downloading the product for free and it will take the virus down should you become infected.

  6. This was the first virus that ever hit me personally in 50 years. I was baffled how it got in. I phoned the police here in Victoria BC. They were not interested in the extortion attempt and said they were swamped with reports. They offered no help on removal. I defanged it by booting to safe mode then using Ace to remove its startup hook. I refrained from running any AV because of the threat to reformat. From there MS Security essentials removed it. MS had a report on it that covered everything except how it got in. The crooks gave so many clues to their identity, they should have been easy to catch and the shut down the virus. I have not heard anything about their prosecution.

  7. I do use pcmatic but only when essentially needed. Although a great product. It still after 3 years maintains my graphics driver is good when an update was released a year ago. So in nvidia updates, it pcmatic fails.

  8. I had this, I went into safe mode, turned off restore options, downloaded rkill and mbam from a thumb drive. Ran rkill than mbam it wiped the crap out of it. I restarted my laptop and bang back to normal. I did however run rkill and mbam in normal mode. Then I ran cccleaner both reg fix and wipe. No problems at all. Decided to buy zone alarm extreme, and my precious xps is running better than ever.

  9. ' Note: Since the virus is polymorphic, many AV products will not be able to remove it but you need to keep on trying.' It would be more than useful to tell us all which 'AV products' do work.

  10. I cleaned it from someone's machine, but Safe Mode had been disabled (got a blue screen of death when trying to get to Safe Mode), I had to connect the hard drive to another computer via USB, and run Avast, MalwareBytes, and ComboFix.

  11. I had last week this virus, but it also prompted in safe mode. With and without internet connection. I don't know how that's possible but it did. I got it only removed by formatting my whole pc.

    • @Frank Bax:

      If you can find F DISK with the newer format, not Fat32 you can remove all the tags on the HD’s and format with NTFS. Reinstall all all apps and hope you are not struck again. the reason for F disk is it removes all the tags left on thr HD inspite of Format and the re-installation of the destructive Dept of ? again over and over agin.
      Good Luck.

  12. I just cleaned this infection. I reverse engineered the IP to an ISP in Gdansk, Poland! I even identified the company sending the crap. They are brazen, this is the first I have been able to trace… I found the core files in user files and manually removed them. Then I cleaned the beast…

  13. Instead of saying that ‘no modern anti virus software can stop it from executing’ why don’t you list the AV companies that do know about it and have protection against it? Sophos Endpoint has provided protection against it since Jan 15, 2013.
    Fear mongering isn’t going to help the people reading your blog. Pointing out reputable companies that can protect against it would be much better.

    • @J Molenaar:
      I had just run a Microsoft Security essentials hours before the attack. When it attacks, apparently the beast does not sit around waiting to spread like a traditional virus. Further, it does not piggyback on a download as is traditional, so it can slip under the radar of continuous virus monitoring too.

      I have never seen anything like the success of this virus. The crooks could have done much better in wording the threats, but they successfully panicked causing people not to read carefully.

      The best defence is loading the latest Java 1.7.0_13 which has patched the security hole it exploited.

    • @J Molenaar: A very good comment. Also, Why isn’t pcmatic stopping or perhaps I should say curing the virus? Why isn’t this article speaking about the importance of having a known clean system backup or system image such as factory recovery disks?

  14. I got an earlier version while using Avast + Threatfire. Machine locked even on cold start, but recovered on Lenovo factory reboot. Of course had to reload all apps. Now using AVG + Threatfire no problems for 4 months, but remain wary. Thanx for great article.

  15. Since the bad guys are still under the impression that this is possible, profitable, and worth the risk, how about we start considering SPAM and other similar malware/virus activities as domestic terrorism, punishable accordingly?

Leave a Reply

Your email address will not be published. Required fields are marked *