Rob Cheng (Global) - Anatomy of a Virus

The most common virus in the wild is called the Department of Justice Virus. The virus locks your computer and requests a bounty of $300 to unlock it and avoid government prosecution. The stories of those that have been infected are many, and I personally have helped four friends and relatives (including my wife) get rid of this virus. It is polymorphic which means that no modern antivirus software can stop it from executing.

It primarily enters the computer silently through a Java exploit. Once infected, the computer is essentially useless. You can no longer execute any programs and the virus reappears after a reboot. Fortunately, it does not reappear in Safe Mode. The key to remove the virus is to reboot and Hit F8 constantly until you enter into Safe Mode. Once in Safe Mode, then try removing it using a standard AV product. Note: Since the virus is polymorphic, many AV products will not be able to remove it but you need to keep on trying.

Since the system is locked, there is not a way to get a high quality image of the virus. Many have taken camera photos of the virus, but we decided to make a high quality replicate of the virus so all the text is legible. We learned a lot by replicating the virus and hopefully you will too!

The first thing to notice is that the virus uses the actual seal from the Department of Justice. This is a second generation virus. Before the DOJ, the bad guys used the FBI logo. Let's ponder this. It is certainly illegal to use these logos for non-governmental purposes and they are essentially flipping their nose at the government. After all, who would be responsible for finding and punishing these people? That would be the Department of Justice and the FBI.

The DOJ "penalty" is $300. The FBI virus was charging $200 in mid-2012 and I happened to see a DOJ virus late last year for only $250. What is clear is that they are raising their prices and testing the elasticity of their market place.

As a marketing guy, it is stunning how brazen they are. They actually have a little photo of a wallet with money in it. They make no bones of the fact that they want your money! Wow!

The virus carefully details the laws that were broken focusing on child pornography and illegal copyrighted downloads. This is ingenious because most people are embarrassed to have these violations alleged against them even if they are not true. I tried to find these articles and they don't exist. Of course, a victim would struggle to figure this out since they no longer have access to the internet.

Many people assume that the viruses are spread through pornography and illegal download sites. This is not true. The virus writers attack all kinds of web sites that happen to include pornography and download sites.

Here's the big one. Through the same Java exploit, they also have figured out a way to turn on your web cam and display your face on the violation page. You really have to give these guys their props. Most people when carefully considering the facts will not fall for the DOJ virus. Now with your very own face being recorded and displayed on the page, it might be enough to shock enough people into paying the bounty.

We encourage everyone to read every word of the DOJ virus. If you do, you will find that much of the English is not quite right. You understand it but no one would talk or write that way. They are still working out the bumps. It is clear that they are incrementally improving their product and soon the English will be flawless.

As we were doing our research, we discovered another shocking fact. The DOJ virus has been translated into Swedish, German, Italian, French, Spanish and many other languages that I am not able to easily identify. I had assumed that since it has a DOJ logo that it was strictly an American virus. In addition to translating the virus into other languages, they had to change the enforcement agency, the legaleeze, and of course the method of payment.

The virus is global. Our replicate is just a snap shot in time. As I write this, I am sure that they are improving their product. Please look carefully at the replicate so you can get a sense of their methods and motivations so that you can avoid getting caught in their net.


By Rob Cheng,



« David Keane (Global) - PCs Are Dead, Long Live the Tablet


Martin Veitch (Global) - Google, Salesforce, Workday Lead the New Status Quo in Enterprise Software »