RSS

Mozill firefox Orkut Youtube banned in your computer?


Today i went to a cyber for some work.I could not find firefox so i installed it well sort of tried to but the thing went haywire.Messege box appeared out of nowhere and started to scream that i was not allowed to run mozilla firefox.


Extact text was " USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE... "


It would not close even if i try to.So i fired up the process explorer and noticed two processes named svchost.exe .The legitimate svchost.exe do not run like that so i killed both the processes and the firefox installed like butter.I found it quite funny so i decided to investigate on the subject at home.Reaching home i disabled my nod32 antivirus and then plugged in my pen device sure enough there was a hidden file named MicrosoftPowerPoint.exe and a autorun.inf in it.


I was about to deleberately infect my computer with this malware.I don't have any important file that if computer crashes would kill me. Don't try to infect yourself just because i did.

When i double clicked the MicrosostPowerPoint.exe it immiditely changed to svchost.exe.Ahha these were the ones i killed back at the cyber cafe.Lets see what else do they do.


It creates a folder named MicrosostPowerPoint in %temp% folder.Folder contained six files.Namely


2.mp3
drivelist.txt
Install.txt

Icon.ico
pathlist.txt
svchost.exe


Also it created a folder named heap41a in the c drive.This folder had the following files


drivelist.txt
2.mp3
Icon.ico
script1.txt
reproduce.txt
std.txt
drivelist.txt
svchost.exe


and a folder offspring in it file

autorun.inf
MicrosoftPowerPoint.exe exist.


What does it do?


It runs in the background as two svchost.exe process using your 2.2 Mb of memory.You can see them in action using Task Manager as it shows up as user initiated s
vchost.exe processes.It scans for removable drives to reproduce.Changes three registry entries


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\Run\winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\Run\status
HKLM\Software\Microsoft\Windows\CurrentVersion\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\checkedvalue


When one tries to run firefox it displays error messege saying USE INT
ERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE... with evil laugh and then terminates the firefox.


Also when you try to open youtube or orkut it says "ORKUT/youtube IS BANNED,Orkut/youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!" this with same evil laugh and closes the Internet Explorer.


Now steps to get rid of it (Solution).



1)Open task manager/process explorer


2)Click Processes tab in task manager.


3)Look under Image name for svchost.exe with User Name user
and not the ones with SYSTEM/Network Service/Local Service as User Name
and terminate those 2 processes.


4)If you don't get no 3 download process explorer unzip it open it look for pair of svchost.exe with AutoHotKey in description section (pink ones in the picture.)





5)open regedit.exe from run and navigate to


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
tVersion\policies\Explorer\Run\winlogon


right click winlogon and click delete also look for the entry named status and delete it as well.


6)Navigate to
HKLM\Software\Microsoft\Windows\CurrentVersion\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\checkedvalue


right click the checkedvalue click modify and change the value from 0 to1.


7)Open My computer->Tools->Folder Options click View tab look for Hidden Files and folders click Show hidden files and folders radio button uncheck Hide extensions for known file types also uncheck Hide protected operating system files (Recommended) click apply and ok.


8)Don't double click your drives to so that the autorun.inf won't execute.Instead use start menu->run->type c: and click enter.


9)delete the folder named heap41a


10)type %temp% in start menu->run and hit enter then delete folder named MicrosoftPowerPoint


11)It is a good idea to disable the autorun feature altogether
do this by copy pasting line below saving it as whatever.reg and than double clicking it.


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


12)Look for and delete autorun.inf and MicrosoftPowerPoint.exe from all your pen/flash drives.


This particular malware seems to be created using AutoHotKey.
  1. Blogger Dai

    May 21, 2008 at 12:23 AM

    Oh Yea!

    Try opera!!!
    It is also very good!

  1. MangalMan

    May 21, 2008 at 10:46 PM

    yeah i tried that too but i love firefox extensions.One more reason to switch to Firefox.Firefox 3 is going to be the fastest browser.
    http://lifehacker.com/391547/firefox-3-on-track-to-be-speediest-browser

  1. Amit

    July 3, 2008 at 9:21 AM

    thanks man!!

    you seem to be knowing very much about computers n stuff....

    thanks again..

Post a Comment

Powered by Blogger.