[sf-lug] "RANSOM VIRUS" ATACHED TO WEB SITE?

John jstrazza at yahoo.com
Wed Jun 7 19:58:30 PDT 2017 

I wanna know about the pork loin roast!  What time is dinner?

John

Sent from my iPhone

> On Jun 7, 2017, at 7:48 PM, Michael Paoli <Michael.Paoli at cal.berkeley.edu> wrote:
> 
> Hmmm,
> 
> What operating system?
> 
> It says "started the computer" ... and "Ubuntu 16 on my notebook"
> but never sates if "the computer" and "my notebook" are one-in-the-same.
> If it's not Linux, else-list may be more useful.
> If it's BSD or Unix, buug.org might be useful.
> 
> If it's Linux (or Unix or BSD) I'd be curious about details of the
> infection vector and how out-of-date the software was on the
> computer, or what other actions made it possible to (presumably)
> become infected.  Others may also be rather interested in such.
> Good forensics analysis may be useful/informative.
> 
> Of course, note also lots of web sites will pop up fake threat stuff.
> I sometimes find it slightly amusing to have some cr*p site pop up
> some "warning" about "my computer" that is 100% irrelevant to my
> Linux based operating system.
> 
> Also not mentioned is what version of the start page, and what it
> was configured to use for searching.  Also not clear from the description
> if the (presumed) infection occurred after clicking link in search
> results, or may have occurred before that, and timing of indicators
> of infection may have been more or closer to coincidental.
> 
> Also not mentioned is networking - e.g. *direct* Internet connection,
> or through NAT/SNAT (and with possible hardware and/or software
> router/firewall), or ... well, it does say "internet ethernet cable",
> but isn't more specific on that.
> 
> Hopefully, if it's Linux, we'll hear some more relevant details,
> and the issue will get resolved, and perhaps many may learn something
> from it.
> 
> Good that you reported it to FBI and gave 'em the number that you
> got.
> 
> Do be aware, "800" (toll free) numbers, the customer generally
> gets ANI with that - so if one calls such a number, there's no
> way to block your calling number.  (I'm a bit curious to call
> the number and see what I might determine - but with a toll-free
> number, I'd probably place call from that endangered species
> known as a public pay phone).
> 
> Sounds like at minimum it's "drive by" (web pop-up) scam,
> but if it actually altered/damaged/removed/encrypted any files
> (notably without consent, etc.), then it's likely something
> more serious - and presumably involved some type of exploit
> or trickery.
> 
> http://www.catb.org/esr/faqs/smart-questions.html
> 
>> From: Mikki <mikkimc at earthlink.net>
>> Subject: [sf-lug] "RANSOM VIRUS"  ATACHED TO WEB SITE?
>> Date: Wed, 7 Jun 2017 17:22:18 -0700 (GMT-07:00)
> 
>> HI, ALL;
>> 
>> Today early I started the computer, moved immediately to Firefox, started Startpage, and typed in :  "pork loin roast."  I selected the item at the top of the list, and immediately got a frozen screen and computer, with vocal over-ride saying that this was a program that froze my computer, 'because someone had illegally used my isp and such to access a site of viruses."  The screen box said that I could get the computer unfrozen by calling a certain number (1-866-217-8944.)
>> 
>> I called the number of a friend who is more versed in computers than I, and he said it was the ransom virus common in Europe, but seemed rare in US,and on Linux distros.  I have Ubuntu 16 on my notebook.  I asked him to call Bobbie and sak her to call me, when he got back home.
>> 
>> I then called the number given in the site, and they said they could unfreeze my computer for $199.  I declined, and disconnected the computer from the internet ethernet cable, and turned the machine off with the manual button.
>> 
>> Bobbie called a while later, and said that there is a filecalled clam.av, or clamav, or something like that which I haven't yet found, which searches and deletes Windows type viruses.
>> 
>> When I re-actvated the machine, most of what I had on the desktop and in the document file, (on the Desktop) were gone.  Fortunately, I frequently back up to an external hard drive, so it has not been a total disaster.
>> 
>> I called the FBI 1-415-553-7400, ignored the website for internet crime, and reported it several selections later.  The agent or clerk said that this is becoming quite a problem, and that I had handled it correctly, not paying and de  -activating my machine.  They will investigate the number I was given.
>> 
>> I have since retrieved the older Desktop/documents file, and recovered the needed fines for rebuilding the files i could.
> 
> 
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/<br>
> Related Information <br>
> http://www.shallowsky.com/blog/<br>
> http://explainshell.com/ <br>

More information about the sf-lug mailing list