Ok assholes, m tired explianing this to each one.... guess all of 'em have emptied their brains. So here is the procedure....
Tht malware is written in autohotkey script. Does not deal much a "damage" as such....it only shows that there r plenty of lusers out there in the world who own a computer n use internet.
Nicely written, i must say.... whoever has written this is a smart ass.
You get messages like "Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!! with title ORKUT IS BANNED".
Variants of the malware (does not deserve to be called a virus or trojan) have come up.
What this Script does?
Copies itself to either C:\heap41a or %temp%\MsData , both the directories r superhidden.
Runs among the proceses as svchost, under the user's name (probably).
Probes for new devices in the machine.... usb drives r the favourites . when found copies itself.
keeps a backup in system32 as winlogons.exe (note the name, its not winlogon.exe).
Contents of heap41a and MsData:
svchost.exe , drivelist, monitor, MicrosoftPowerPoint.exe (superhidden), autorun.inf (superhidden)....and maybe some other shit.
- To remove,first terminate the svchost.exe which operates from heap41a or MsData [ if u do not know how to do this then u deserve to suffer...i hope your box crashes, die luser ].
- Then quickly remove the heap41a or MsData folders or all the data in them.
- goto system32 n remove winlogons.exe.
- goto regsitry n delete the entry that contains with winlogons.exe (if it exists.)
This should do the work.....if u dont know how to delete from the registry n where the system32 directory is then u can ESAD.
NOTE: Try using your brains the next time u get infected.