Recently, my system got infected with very strange virus. Whenever I try to open firefox, a new popup window will used to come infront of screen saying “USE INTERNET EXPLORER YOU DOPE. I DNT HATE MOZILLA BUT USE IE OR ELSE” and firefox will get terminated automatically.
The following screenshot describes it best:
After googling on this, I found more interesting information about this virus.
It’s a worm and name is W32.USBWorm.
This spreads through USB drives. Along with firefox, it also prevents you opening Orkut and Youtube. It gives the alert “orkut\youtube is banned you fool” and closes the window immediately. For firefox, it gives the alert “use IE you dope” and closes the Firefox window. It also plays a .wav file (which sounds as “muhahaha!!) whenever the alerts pop-up.
How it works?
• It creates a folder with name heap41a in C drive that will be disguised as system folder with hidden attributes enabled and copies all its contents in that heap41a folder.
• The running process that is responsible for this is svchost.exe and it will be spawned under user name.
• It will make an entry into registry so that it will be started automatically every time the system gets rebooted.
Contents of “heap41a” folder
• Svchost.exe – This is the main executing program
• Script1.txt – It contains the script for displaying messages and playing sound file depending upon application invoked.
• Std.txt – It is responsible for making registry entries and running svchost.exe.
• Reproduce.txt – It is responsible for reproducing the directory structure and registry entries every time the system reboots or if any files or entries missing.
• Along with these, there will be one audio file and one drive list text which contains by default all alphabets from A…Z
How to remove this worm?
• Terminate svchost process. Remember there will be more than one svchost processes. You have to delete the one which was spawned under user name.
• Delete the heap41a folder from your system. It will be hidden. Use advanced search options to find it.
• Remove the following registry entry.
HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe
• It can also be removed using freeware tool “hijackthis” which can be downloaded from here :http://filehippo.com/download_hijackthis/
PS: Major antivirus applications failed to detect this including Norton 360.
