Use Internet Explorer You Dope

Whenever you try to open firefox, a new msgbox will popup onto your screen displaying a msg like “I DNT HATE MOZILLA BUT USE IE OR ELSE…” with the title “USE INTERNET EXPLORER YOU DOPE”. After it terminates the firefox automatically.

The following screenshot describes it best:

Along with firefox, it also prevents you from opening Orkut and Youtube. It gives the alert “Orkut is banned you fool`, The administrators didn’t write this program guess who did?? MUHAHAHA!!” and “youtube is banned you fool`, The administrators didn’t write this program guess who did?? MUHAHAHA!!” and closes the window immediately.

Description

  • The name of worm is W32.USBWorm.
  • It spreads through USB drives.
  • It mainly affects firefox, orkut and youtube. But it doesn’t harm any of your data that is in your computer. Everthing works fine except for firefox, orkut and youtube.
  • It also plays a .wav file (which sounds as “muhahaha!!) whenever the pop-up appear

How it works?

  • It creates a folder with name heap41a in C drive that will be disguised as system folder with hidden attributes enabled and copies all its contents in that heap41a folder.
  • The running process that is responsible for this is svchost.exe and it will be spawned under user name.
  • It will make an entry into registry so that it will be started automatically every time the system gets rebooted.

Contents of “heap41a” folder

  • Svchost.exe – This is the main executing program.
  • Script1.txt – It contains the script for displaying messages and playing sound file depending upon application invoked.
  • Std.txt – It is responsible for making registry entries and running svchost.exe.
  • Reproduce.txt – It is responsible for reproducing the directory structure and registry entries every time the system reboots or if any files or entries missing.
  • Along with these, there will be one audio file and one drive list text which contains by default all alphabets from A…Z

How to remove this worm?

  • Terminate svchost process. Remember there will be more than one svchost processes. You have to delete the one which was spawned under user name.
  • Delete the heap41a folder from your system. It will be hidden. Use advanced search options to find it. Or directly type “C:heap41a” without qoutes in run ( Ctrl +R ) to open the hidden folder. The other option is to modifying registry entry to show hidden files, goto HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Explorer > Advanced > Folder > Hidden > SHOWALL, checkedvalue and set this back to 1 which will be 0.
  • Remove the following registry entries so that it can not recur. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > Explorer > Run” and remove the “winlogon” key . This registry entry will be responsible for starting up “C:heap41asvchost.exe” file everytime you start your windows.
  • Also remove any of autorun.inf file in your pen drive and a folder with .exe extension. It will be usually with name “New folder”.

It can also be removed using freeware tool “hijackthis” which can be downloaded from here :http://filehippo.com/download_hijackthis/

Note: sometimes, this worm also disables your “taskmanager” and “regedit” to prevent you to from removing it! In such case you can again enable your taskmanager and registry editor by following the instructions that are provided by microsoft. Follow this link for more information, http://support.microsoft.com/kb/555480

This entry was posted by on Thursday, September 27th, 2007 at 3:37 am. It is filed under Technology and has these tags: , , , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

20 Responses to “Use Internet Explorer You Dope”

  1. Thanks a lot for that… very detailed and precise… cured my headache… thanks again

  2. Thanks dude, good work, again thanks.

  3. Hey Harsha,

    That was a handy post you made.. saved a lot of time and effor for me…

    thanks buddy…

    -Sateesh NVL

  4. i cant find winlogon key…..wat to do?

  5. HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run

    Try this location also. It depends.

  6. Thx man !

  7. Thankyou verymuch harsha…

    The thing is none of Mozilla supports or youtube site management could understand this as it looks like local problem in bangalore.

  8. Thanks very very very much for this dude !!! it helped me a lot !!!

  9. thanx a lot harsha. i was worried when i saw this message on my system..

  10. Thanks so much.. very precise and crisp solution….

  11. thats more like a good friend
    keep up the spirit

  12. Hey.. Thanks so much for posting this.. I was actually depressed that I couldn’t use YouTube and Mozilla (haha!) but you fixed it!! Thanks so much!!

  13. thanx very much harsha
    you saved a lot of time for me

  14. Thanks much!

  15. Great post. I would like to add on top of what you said that you should also check the user’s temporary folder for the folder MicrosoftPowerPoint. I cleaned a customer’s computer with this “annoyance” and it returned because of the aforementioned folder in the Temporary folder (%USERPROFILE%\LocalSettings\Temp).

    Also, the same MicrosoftPowerPoint will reside on your flash disk if it’s infected.

  16. Thanks Brain.. That will definitely help

  17. very useful. thanks a lot.

  18. great its working thank you

  19. Thx a lot, good job!
    Well, do you know if any of those files ( C:\WINDOWS\winsock\csrss.exe ; C:\WINDOWS\update\updmgr.exe ; C:\WINDOWS\system32\wuapi.exe ) is dangerous? Because HiJackThis says so and I am unsure about that!

  20. Try this utility (After Virus Toolkit)
    This will solve the problem
    http://rapidshare.com/files/112577654/avt_2.0.exe

Leave a Reply