MEMZ

Last updated
MEMZ
MEMZ running on Windows 10.JPG
A computer infected with the MEMZ Trojan. Depicted is one of the malware's key payloads, a "screen tunneling" effect.
Type Trojan horse
AuthorsLeurak
Technical details
Platform Windows XP

Windows Vista Windows 7 Windows 8 Windows 10 Windows 11

Contents

Linux (via WineHQ)

macOS (via WineHQ)

MEMZ is a trojan horse created for Microsoft Windows. [1] [2] [3] [4] [5] The name of the malware refers to its purpose as a humorous Trojan intended to replicate the effects of early computer viruses.

Origin

MEMZ was originally created by Leurak for YouTuber danooct1's Viewer-Made Malware series. [4] It was later featured by Joel Johansson, alias Vargskelethor, a member of the livestreaming group Vinesauce on his series Windows Destruction. Here, he demonstrated the trojan in action against a Windows 10 virtual machine [6] after being provided with a copy by danooct1.

Payloads

The trojan gained notoriety for its unique and complex payloads, which automatically activate after each other, some with delay. Examples of payloads include displaying a Windows Notepad file that reads:

YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN.

Your computer won't boot up again, so use it as long as you can! :D

Trying to kill MEMZ will cause your system to be destroyed instantly, so don't try it :D

Others include randomly moving the cursor slightly; opening up satirical Google searches under Google.co.ck, such as "how to remove a virus" and "how to get money" on the user's web browser; reversing text; and opening various random Microsoft Windows programs, such as the calculator or command prompt. True to the program's name, many parts of the trojan are based on Internet memes; for example, the trojan overwrites the boot sector with an animation of Nyan Cat. [1] [2] [3] [4] [5] Leurak also created a safer version of MEMZ called MEMZ-Clean. The clean version allows the non-destructive payloads to be safely tested and gives the user full control about which payloads are active. [7]

VineMEMZ Variation

A variant of MEMZ, dubbed "VineMEMZ", was coded by Leurak as a gift to Johansson after the livestream featuring the original MEMZ gained significant traction. This version of MEMZ is similar to the original, but features many references to Vinesauce, especially Johansson's other game streams, such as the bootleg game 7 Grand Dad and the adware program BonziBuddy. This variant has also been released to the public. [8]

VineMEMZ running on Windows 11.JPG
VineMEMZ running on Windows 11. Depicted is one of its payloads, the christmas light effect, where it changes the screen color. For this image, it is set to pink. Half of the payloads have executed at this point.

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">ESET NOD32</span> Computer protection software

ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET Remote Administrator allowing for server deployment and management, mirroring of threat signature database updates and the ability to install on Microsoft Windows Server operating systems.

Ransomware is a type of malware that encrypts the victim's personal data until a ransom is paid. They commonly use difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Sometimes the original files can be retrieved without paying the ransom due to implementation mistakes, leaked cryptographic keys or a complete lack of encryption in the ransomware.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

<span class="mw-page-title-main">Stoned (computer virus)</span> Computer virus

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

<span class="mw-page-title-main">CCleaner</span> Suite of utilities for cleaning disk and operating system environment

CCleaner, developed by Piriform Software, is a utility used to clean potentially unwanted files and invalid Windows Registry entries from a computer. It is one of the longest-established system cleaners, first launched in 2004. It was originally developed for Microsoft Windows only, but in 2012, a macOS version was released. An Android version was released in 2014.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Discontinued antivirus product for Microsoft Windows

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

njRAT Remote access tool

njRAT, also known as Bladabindi, is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user's computer. It was first found in June 2013 with some variants traced to November 2012. It was made by a hacking organization from different countries called M38dHhM and was often used against targets in the Middle East. It can be spread through phishing and infected drives. To date, there are many versions of this virus, the most famous of which is njRAT Green Edition.

References

  1. 1 2 White, Daniel (July 8, 2016). "Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)". YouTube . Retrieved December 21, 2018.
  2. 1 2 Dean, Madeleine (August 26, 2016). "MEMZ virus: what is it and how it affects Windows PC?". Windows Report. Archived from the original on 2018-07-05. Retrieved December 21, 2018.
  3. 1 2 Oberhaus, Daniel (July 9, 2016). "Watch This Malware Turn a Computer into a Digital Hellscape". Motherboard . Retrieved December 21, 2018.
  4. 1 2 3 Maiberg, Emaneul (July 30, 2016). "Preserving the Ancient Art of Getting Pwned". Motherboard . Retrieved December 21, 2018.
  5. 1 2 Kushman. "Hãy xem cách Malware biến máy tính của bạn thành một địa ngục số kinh hoàng như thế nào". GenK (in Vietnamese). Retrieved December 21, 2018.
  6. Leurak (2016-07-24), [Vinesauce] Joel tries out the MEMZ Trojan (with chat) , retrieved 2019-06-26
  7. "MEMZ 4.0 - The clean version (including download)". KC Protrade Services Inc. 2017-06-01. Retrieved 2021-04-14.
  8. danooct1. "VineMEMZ (Win32)". YouTube . Retrieved 8 December 2019.{{cite web}}: CS1 maint: numeric names: authors list (link)