Sunday, July 15, 2007

Mozilla and Orkut-hating virus!

This time, we have a virus which hates Orkut and Mozilla Firefox! Mozban virus does not allow PC user to Firefox browser and to open Orkut website. This virus makes use of AutoHotKey to do this and also to replicate itself. Mozban spreads through secondary storage devices like USB drives, CDs etc.
Here are the screen shots of message boxes displayed by the virus when Orkut website is opened or Firefox is launched:



Svchost.exe is nothing but renamed AutoHotKey program! Mozban creates a folder named heap41a in the root drive, and files listed below:
2.mp3
drivelist.txt
Icon.ico
offspring
reproduce.txt
script1.txt
std.txt
svchost.exe


And, the folder offspring contains:
MicrosoftPowerPoint.exe
autorun.inf


Files std.txt, script1.txt and reproduce.txt contain AutoHotKey scripts, which are executed by svchost.exe (renamed AutoHotKey).

Here are the screen shots Jotti Malware Scan results of files - svchost.exe and MicrosoftPowerPoint.exe - dropped by the virus:

Labels: ,

9 Comments:

Anonymous vaibhav said...

how do i get rid of it''plzzzzz help!!

11:05 PM  
Blogger swatkat said...

Hi vaibhav,
Update your AntiVirus and then scan your system. Most of the AVs detect this threat now.
Also, you can use standalone removal tool Dr.Web CureIt, to remove the infection.

12:46 PM  
Anonymous Anonymous said...

Dr cureit se bhi kaam nahi ban raha..!!
it scans..cures then when i open orkut..again that message comes..
and i'm fed up!!
wherever OKUT is written , that thing is becoming in accessible..
firstly i wasnt able o search 4 this virus's cure on net, coz whne i typed ORKUT VIRUS in google..the window closed..!!
anyhow i found this website...
downloaded DR.CURE IT!
scanned and found those infected files.. cured it..
but..the problem remains..

plz tell me wat 2 do now!![:(]

12:11 AM  
Blogger swatkat said...

Hi,
Here's a tutorial which tells you how to remove this virus:
Tutorial link

2:25 AM  
Anonymous abhi said...

Hi Swatkat,

I have a different problem on my home system...let me try explaining it!

So when i use browser it sometimes take three-four clicks to open webpage...hmm yes..'doublclick' that was found by 'spybot' ..it 'removes'...but next time scanning again it reappears and same story...no satisfactory end yet!
Additionally in my mozilla firefox browser i have entered to block 'www.doubleclick.com' and www.doublclick.net" site... as this was advised on some site i referred to earlier...but unfortunately still problem comes anytime. Problem is serious as it slows down my browsing speed to really slow ..something like ~3-4KBps while it should have been ~28KBps normally.

Next BIG problem is -> that my browser just starts showing java/html script looking like text on my screen anytime instead of the webpage which we normally expect..if i retry reloading/refresh the webpage 3-4 times..suddenly once it will give me proper page display..but otherwise its just a chance. I can see junk-script-text or webpage ..it depends

Your suggestions & advise will help alot! - thanks

note - i DO keep scanning by using mcafee suit...but it has NOT helped system at all ..it never even catches doubleclik which till now ONLY spybot catches!! that may be mcafee weekness but wanted to inform u

second i keep spybot updated and run it 3-4 times a day afyter this problem and remove whatever it alarms on.

i am using Moziall firfox 2.0.0.6

1:18 AM  
Anonymous abhi said...

Just adding more info of error,,,may help u understand it...

A sample of junk i mentioned just came in when i clicked help.orkut.com/support/?hl=en-US

it shows junk/text instead of webpage... as below..

body { background-color: #dee7f7; font-family: Verdana, Arial, sans-serif; font-size: 12px; margin: 0; padding: 0; } /* Elements */ a:link { color: #0065ad; text-decoration: underline } a:visited { color: #0047BE; text-decoration: underline } a:active { color: #C40098; text-decoration: underline } a:hover { color: #C40098; text-decoration: underline } div { margin: 0; padding: 0; } img { border: 0; } /* Header */ div#header { background: transparent url(http://www.google.com/orkut/images/header_bg.gif) repeat-x; margin: 0; } div#header table { width: 100%; border-spacing: 0; border-collapse: collapse; border: 0; margin: 0; padding: 0; } div#header table td { vertical-align: top; padding: 0; margin: 0; height: 29px; } div#header td#logo { width: 80px; padding: 0 0 0 20px; } div#header td#logo h1 { margin: 0; padding: 0; } div#header td#logo h1 img { margin: 0; } div#header td#help { width: 200px; padding: 5px 0 0 1.5em; } div#header td#help h2 { margin: 0; padding: 0; color: #ffffff; font-size: 14px; } div#header td#country { text-align: right; padding: 5px 1.2em 0 0; } div#header td#country p { margin: 0; padding: 0; color: #ffffff; font-size: 11px; } div#header td#country form { margin: 0; padding: 0; } div#header td#country form select { margin: 0; padding: 0; font-size: 10px; } div#header p#breadcrumbs { margin: 1.2em 2em 0 2em; padding: 0; font-size: 11px; } /* Body */ table#body { margin: 1em; padding: 0; } /* Left Nav */ table.module#left_nav { width: 170px; margin: 0 1em 0 0; } table.module#left_nav td.module-content { background-color: #ffffff; padding: 0.4em; } ul#left_nav { margin: 0; padding: 0; } ul#left_nav li { list-style: none outside; display: block; margin: 0 0 0.4em 0; padding: 0.4em; background-color: #ebf5ff; border: 1px solid #d6e1f5; font-size: 12px; } /* Modules */ table.module { width: 100%; } table.module td.module-content { background-color: #ffffff; padding: 0.4em; } table.module td.module-content h5 { font-weight: bold; font-size: 1.1em; color: #000; margin: 0 0 0.5em 0; } /* Footer */ div#footer { margin: 0; padding: 0 0 1em 0; } div#footer p { margin: 0; padding: 0; text-align: center; } .mainbody { margin: 1em; background-color:#D4DDED;;} td {font-size:12px;} a:link {color:#0000cc} a:visited {color:#0000cc} .n, .sn {margin:0 0 6px 0;padding:0} .topic_body {background-color:#D4DDED;;} .h {padding:2px 0} .search, .d {padding:2px 0} .forminput { font-family: Verdana, sans-serif; font-size: 12px; } .sectiontitle {padding:0 0 2px 0;border-bottom:0px solid #cccccc; font-size: 12px; color:#000000;} .sectiontitle2 {padding:0 0 2px 0;border-bottom:1px solid #cccccc; font-size:12px; color:#444444;} .sectiontitlenobr {padding:0 0 8px 0} .top5 {padding:0 0 2px 0} ul.section {list-style-type:none;line-height:155%;margin:0;padding:0 0 0 15px} ul.section li {list-style-type:disc} ul.tour {list-style-type:none;line-height:155%;margin:0;padding:0 0 0 .2em} ul.tour li {background-image: url(images/document3.gif);background-repeat: no-repeat;background-position: 0;padding-left:1.6em}/*background-position: 0 .6em;padding:0 0 0 .8em*/ o

1:56 AM  
Anonymous Anonymous said...

I want to download this virus for studying it.Plz can anybody tell me where can i find it.Plz send me the link where i can find that virus(the infected file.)
My email is amolshejole@gmail.com
http://thehackingblog.blogspot.com

2:54 PM  
Blogger ഈ പാവം ഞാന്‍ said...

hello everyone .... there is a cloution without using any antivirus..

first end the process scvhost.exe under your user name (not under system) using task manager.
then open "c:\heap41a" folder using run command. then read all the text files in that folder. in that text files, there have been written which registry it had changed. just use regedit and restore it. (change the values to 0 in most cases).
u've done it

9:54 PM  
Anonymous Anonymous said...

thanks a lot to whosoever has given the c:\heap41a comment

Steps to remove the virus

1.open task manager
2.open mozilla firefox
3.an error message will pop up
4.in task manager goto the application running right click it and select "goto process"
5.process highlighted will be "svchost.exe"
6.this is the virus click "end process"
7.Now virus is stopped
8.open c:\heap41a from run command in "start" option
9.the whole scripting of virus is there delete all of them but first open std.txt and regedit(from run command)try to correct the registry values.

10:35 PM  

Post a Comment

<< Home