The w32.USBworm, or commonly known as the Orkut Mozilla Hater Virus, has been spreading its malicious fingers all over India. The worm, quite a tricky one, is most commonly seen when it displays messages like, “I DNT HATE MOZILLA BUT USE IE OR ELSE…”, “ORKUT IS BANNED, Orkut is banned you fool“, “The administrators didn’t write this program guess who did??“, “youtube IS BANNED,youtube is banned you fool” and “The administrators didn’t write this program guess who did??`r`r MUHAHAHA!!,30“.
This worm has been around for around 4 months now, with scattered responses, and many bloggers posting different methods of removing it. Here, I’ve compiled the instructions from a few of those blogs, and added my own few failsafes into them.
What it does
Runs in the background, invisible to antiviruses
When Mozilla Firefox is opened, it displays a message (I DNT HATE MOZILLA BUT USE IE OR ELSE…) and shuts down Firefox
When the site Orkut is accessed, via any browser, it shows yet another message out of a few listed above, and shuts down the browser.
Same when YouTube is accessed.
Copies itself automatically onto USBs, iPods (yes!), Digicams etc. when connected to the PC
Copies a copy of the virus from the USBs, iPods etc. to any other PC its inserted in.
Disables the “Show Hidden Folders” option
How it functions
It runs an executable file named svchost.exe in the background
All virus files located in a folder in the C:\ drive
The folder is hidden, and disables the option to view hidden folders
Comfortably carries out its malicious activities and also makes the computer dead slow
Why its dangerous
It makes the computer slow.
No antivirus to date has been able to remove or detect this virus. A few antiviruses, like AVG, NOD32 and Avast, were able to prevent its entry.
The removal of this virus requires a manual procedure. It may take anywhere around 5-10 minutes. It has 4 main steps -
1) Removing the virus from the task manager
2) Deleting the virus files
3) Deleting registry entries
4) Editing the registry to restore the “View Hidden Files” option
I - Removing the virus from the task manager
Hit Alt+Ctrl+Del to bring up the Task Manager
Click on the Processes tab
Click on Image Name to arrange the processes according to their names
Scroll down a bit until you reach a number of SVCHOST.exe processes listed
All, but one, of these SVCHOST.exe processes will be listed under the usernames of SYSTEM or NETWORK SERVICE
Find the SVCHOST.exe which is listed under YOUR username. i.e. If your username is anoop, find the SVCHOST.exe listed under with username anoop. Select that process and click End Process.
Click Yes to successfully end the process.
(Picture credit : Sujith)
II - Deleting the virus files
Browse to your C:\ drive, or whichever drive you’ve installed Windows.
In the address bar, type in heap41a after the C:\ and press Enter. i.e. In the address bar, type C:\heap41a and press Enter.
Mercilessly delete every file in that folder. Muhahahahhahahahaha! You’ve now deleted the virus!
III - Deleting the registry entries
Go to Start>Run (or Windows key + R)
Type in regedit and hit Enter
Navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run and delete the winlogon key. This will prevent any remnants of the worm from starting at booting.
IV Editing the registry to restore the “View Hidden Files” option
In Regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
There, navigate to NOHIDDEN
In NOHIDDEN, change the CheckedValue to “0″ and DefaultValue to “1″.
Go one step back, and navigate to SHOWALL
In SHOWALL, change the CheckedValue to “1″.