Perfume Factory

Whenever you try to open firefox, a new msgbox will popup onto your screen displaying a msg like “I DNT HATE MOZILLA BUT USE IE OR ELSE…” with the title “USE INTERNET EXPLORER YOU DOPE”. After it terminates the firefox automatically.

The following screenshot describes it best:

Along with firefox, it also prevents you from opening Orkut and Youtube. It gives the alert “Orkut is banned you fool`, The administrators didn’t write this program guess who did?? MUHAHAHA!!” and “youtube is banned you fool`, The administrators didn’t write this program guess who did?? MUHAHAHA!!” and closes the window immediately.

Description

• The name of worm is W32.USBWorm.
• It spreads through USB drives.
• It mainly affects firefox, orkut and youtube. But it doesn’t harm any of your data that is in your computer. Everthing works fine except for firefox, orkut and youtube.
• It also plays a .wav file (which sounds as “muhahaha!!) whenever the pop-up appear

How it works?

• It creates a folder with name heap41a in C drive that will be disguised as system folder with hidden attributes enabled and copies all its contents in that heap41a folder.
• The running process that is responsible for this is svchost.exe and it will be spawned under user name.
• It will make an entry into registry so that it will be started automatically every time the system gets rebooted.

Contents of “heap41a” folder

• Svchost.exe – This is the main executing program.
• Script1.txt – It contains the script for displaying messages and playing sound file depending upon application invoked.
• Std.txt – It is responsible for making registry entries and running svchost.exe.
• Reproduce.txt – It is responsible for reproducing the directory structure and registry entries every time the system reboots or if any files or entries missing.
• Along with these, there will be one audio file and one drive list text which contains by default all alphabets from A…Z

How to remove this worm?

• Terminate svchost process. Remember there will be more than one svchost processes. You have to delete the one which was spawned under user name.
• Delete the heap41a folder from your system. It will be hidden. Use advanced search options to find it. Or directly type “C:heap41a” without qoutes in run ( Ctrl +R ) to open the hidden folder. The other option is to modifying registry entry to show hidden files, goto HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Explorer > Advanced > Folder > Hidden > SHOWALL, checkedvalue and set this back to 1 which will be 0.
• Remove the following registry entries so that it can not recur. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > Explorer > Run” and remove the “winlogon” key . This registry entry will be responsible for starting up “C:heap41asvchost.exe” file everytime you start your windows.
• Also remove any of autorun.inf file in your pen drive and a folder with .exe extension. It will be usually with name “New folder”.

It can also be removed using freeware tool “hijackthis” which can be downloaded from here :http://filehippo.com/download_hijackthis/

Note: sometimes, this worm also disables your “taskmanager” and “regedit” to prevent you to from removing it! In such case you can again enable your taskmanager and registry editor by following the instructions that are provided by microsoft. Follow this link for more information, http://support.microsoft.com/kb/555480