Lessons from a Worm:MUHAHAHA WORM

wow.....so cool....after loooooong time im updating ma blog.....so blogger....r u sad...
newaz sumthin cool happened thats y i felt i need to blog this....
it was fun....may b nothin gr8 4 most of u out there but it was a newexperience for..
ma ambition is to join in the securities field....securities i mean computer securities.....
i luv hackin n readin thins related to these stuffs..[thoughi havnt hacked any thin till nw.... :D..im a noob fellas]...
i happnd to go tto ma frends hous for combined stdy ,u knw end sems exmas r approachin 4 us....
there was this prob in his comp... it was called "moohahah" virus....if u open mozilla firefox u get a message "i dont hate firefox but if u dont use IE....". if u click OK 4 dat message firefox will b automatically closed n every time u open firefox u get the same thin...
thn....u open IE [frankly the stupid browser of all] and u navigate to www.orkut.com
...lol...
u get another message " Orkut is banned u fool. ur administrator dint write this pgm...guess who did it.. muhahahaha "...

gr8...same o/p for youtube....
hmm...we did a lil google on this stuff and figured out that this worm is quite famous and spreads through Pen Drive for ur information...ppl who dont knw abt this...
moreover these worms hangout place is basically on the Porn sites [;)]...
but spreads mainly through pendrive transfers...

comin back to the point.....there were sum online instructions on where this worm is generally located....a good antivirus can detect this.....
but to get sum exposure v thot of gettin our hands dirty...

sum googling taught us that it is located in a foldr called heap41 in the C drive..
C:/heap41/svchost.exe
thats our culprit.....it hidden floder....
dnt waste ur time tryin to unhide with the help of folder options etc....
u wont even hav that option.... :D
this worm has chnged ur registry entries dude...
so next idea...chnge the registry key rite...
well googling 4 help told us that...but this virus has evolved i guess....
win+r open the run option....-->type regedit...
guess wat message i got "regedit has been disable by ur administrator"...
WTF is this....im the administrator u fool...
and ctrl+alt_del doesnt work too...."task manager disabled by administr"....
wtf wtf wtf all over again..

so here cums the power of LINUX....for all Linux fans out there this is a victory 4 us...[uh...just a lil exaggeration lol]
v booted usin the latest Mepis linux....live cd ...no ned even to instal the OS..
shifted to the directory in windows C
and cool....all files r open to the naked eye...its magic .
v found our culprit....chnged the path to another folder coz v need to dissect this froggy to understand lil deep into it..
the booted back to windows...enabled task manager...chnged registry key with the help of sum tricks on the internet....thnx world..

now talkin abt our muhahaha worm...
it as soon as the USB is connected it autoruns into the system...chnged registry keys so that its starts at logon/strtup...
thn does its work...chnges other registries to hide all hidden files permenantly....disable task manager,regedit...
v read the script of the worm....guess it was perl...cud make out the logic of the code.....thats sumthin 4 a start... :D
thers this loop dat keeps running ...it keeps chngin the registry entries however u chnge it[if u r able to open regedit]...then the loop also keeps executing the process called svchost.exe....
guys if u hav the app called hijack this use it to create a log of all ur processes runnin...u may get sum unknown processes which have description a names of ppl eg.Anoop is one such name a process' description givs...this is the Worm....
kweel na.....
so next time u transfer sumthin through a pen drive make sure u hav a firewall of a gud anti-virus installed....Comodo firewall is gud in ma opinion...it shows wat process is tryin to access wat other processes and chnge registry keys etc....
in a way a virus or a worm can teach u a lot....
so wat do u ppl out thre feel after this lil experience of 2 lil aspirin programmer...it not anyhtin gr8 but do comment....hf