THE NAME OF WORM IS W32.USBWORM.
Chief complaints: Along with firefox, it also prevents you from opening Orkut and Youtube.
Diagnosis
It gives the alert;
1. “Orkut is banned you fool`, The administrators idn’t write this program guess who did?? MUHAHAHA!!”
2. “youtube is banned you fool`, The administrators didn’t write this program guess ho did?? MUHAHAHA!!” and closes the window immediately.
Treatment:
Terminate svchost process. Remember there will be more than one svchost processes. You have to delete the one which was spawned under user name.
Delete the heap41a folder from your system. It will be hidden. Use advanced search options to find it. Or directly type “C:\heap41a” without qoutes in run ( Ctrl +R ) to open the hidden folder. The other option is to modifying registry entry to show hidden files, goto HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Explorer > Advanced > Folder > Hidden > SHOWALL, checkedvalue and set this back to 1 which will be 0.
Remove the following registry entries so that it can not recur. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > Explorer > Run” and remove the “winlogon” key . This registry entry will be responsible for starting up “C:\heap41a\svchost.exe” file everytime you start your windows.
Also remove any of autorun.inf file in your pen drive and a folder with .exe extension. It will be usually with name “New folder”.
Discussion
The name of worm is W32.USBWorm & it spreads through USB drives.
It mainly affects firefox, orkut and youtube. But it doesn’t harm any of your data that is in your computer. Everthing works fine except for firefox, orkut and youtube.
It also plays a .wav file (which sounds as “muhahaha!!) whenever the pop-up appear
The security update may prevent you from opening CHM files that you downloaded from the Internet, even if you saved them to your local hard disk.
