Days of our Lives!

June 4, 2007

That is one bloody cheap trick MS

Filed under: My Dayz,Tech — Santhosh @ 8:03 PM

I and Microsoft share a love-hate relationship.
I hate them and they love to give me more reasons to hate them even more.

Today, they made me download and install about 65MB of patches, and, as if that wasn’t enough, they kept popping up alerts every 5 mins asking me to reboot the system. After having used every possible combination of curses known to mankind, I finally complied though it was more due to irritation. And then do you know what Microsoft does. They play a low, dirty, cheap trick on me. They install a virus along with the patches.

After rebooting, I tried to open Firefox which crashed immediately and I got this :

My initial reaction was that some wiseguy Microsoft programmer had included this in the original code for XP, maybe with some adverse combinations of environmental conditions (at the moment, my laptop had a grand total free space of 11MB). It was only after I’d cleared 1GB (via pen drive to my desktop) and still came up with this that I realised maybe something was wrong. Latest updates of Norton were no help. I tried to uninstall Firefox and got the same error message. I was able to bring up IE, but when I tried to google for “Mozilla Firefox download”, IE too crashed and the same error message came up.

Deciding to get it to helpdesk once I reached office, I proceeded with trying to check my mails. I tried to open Gmail and IE crashed with this :

– the MUHAHAHA being read out with the help of sinister laughter.
I was unable to open anything related to Google (except Google Search) – Gmail, Youtube, Orkut.

A bit of Googling on this gave me the following :

It’s a worm by the name is W32.USBWorm.

How it works? • It spreads through USB drives.
• It creates a folder with name heap41a in C drive that will be disguised as a system folder with hidden attributes enabled and copies all its contents in that heap41a folder.
• The running process that is responsible for this is svchost.exe and it will be spawned under the current user name.
• It will make an entry into the system registry so that it will be started automatically every time the system gets rebooted.

Contents of the “heap41a” folder :
• Svchost.exe – This is the main executing program
• Script1.txt – It contains the script for displaying the messages and playing the sound file depending upon the application invoked.
• Std.txt – It is responsible for making registry entries and running svchost.exe.
• Reproduce.txt – It is responsible for reproducing the directory structure and registry entries every time the system reboots or if any files or entries are missing.
• Along with these, there is also an audio file and a drive list text which contains by default all the alphabets from A…Z

How to remove this worm?
• Terminate svchost process with TaskManager-Processes. However, there will be more than one svchost process (Svchost.exe is a generic host process name for services that run from DLLs). You have to delete the one which was spawned under the current user name. Note that if you end a genuine process, you’ll get a message “system is shutting down because some vital process has terminated unexpectedly”.
• Delete the heap41a folder from your system. This is a hidden folder.
Enable “Search hidden files and folders” in advanced search options to find it. If an ‘access denied’ message pops up when you try to delete, use an application called “unlocker” (download this from here).
You can also type C:\heap41a in the address bar of Windows Explorer, hit enter, and once inside it, do a ctrl+A and a shift+delete.
• Remove the following registry entry :
HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe
• The worm can also be removed using either hijackthis or Avast which are able to detect and remove it. The other antivirus tools don’t seem to detect this as of now.

In case someone comes up against the same virus and wants a solution via Google, I’m giving the following tags for possible searches :
Orkut is banned you fool,The administrators didnt write this program guess who did??


1 Comment »

  1. Is MS is doing this? I don’t think so. I also has a post for this

    Comment by Anonymous — June 8, 2007 @ 10:43 AM | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: