The YouTuber FlyTech Videos created the first version of this virus that showed a website that automatically tried to download 000.exe, the website contains a hyperlink with a green background. After development, he made a video about it on his Windows 8 Virtual Machine, and explaining its payloads.
In mid 2016, FlyTech Videos released a video on its development stages, and given a download link to download the virus. Shortly after, a YouTube user, Gigabyte_Forever, demonstrated on how to disinfect a Windows operating system that was affected by this type of virus.
PayloadsWhen executed, a User Account Control dialog box appears (only in Windows Vista, onward) warning the user if they want to execute the program.
This virus uses a few payloads from other malware pieces such as Maldal. When fully executed, explorer.exe gets terminated, the virus will also attempt to remove the contents inside the WindowsApps folder which contains installed Windows Universal Apps (only in Windows 8 and 10). The video clip also loops in the background. The video showcased a picture of a scary road changing color from orange, to green, to black and white, and to intense black and white.
During video playback, the virus will disable Task Manager, change the user's Windows account name to "UR NEXT", change the default notepad icon to a custom .ico file, and reboot the user's computer once it's finished with its first payload.
The second payload occurs when the computer is restarted. The user will be greeted with many changes made on the user's computer which includes, the desktop wallpaper being changed, and shows a accent color black, the user's desktop is filled with "UR NEXT" Notepad files on the desktop (as it used Maldal's payloads). The default Notepad icon is changed to a red square with "UR" and "NEXT" with the former stacked on top of the latter. Opening one "UR NEXT" file, the user will see a seemingly infinite lines of "UR NEXT".
Once Windows is loaded, there will be a dialog box that contains the message "run away", followed by a "run away" button. However, each second a new dialog box with the same message appears nonstop. Clicking on the run away button closes the message.
If a user opens the "OPENME" (repeated name) WordPad file, the user will see the text from the file:
YOU ARE THE NEXT, I CAN SEE YOU NOW ITS TOO LATE I GOT YOU....... YOU HAVE BEEN WARNED DONT LOOK BEHIND YOU
The name of the WordPad file is named "OPENME" (repeated name) to persuade the user to open it. Also, the file's message is that "a serial killer is behind you to stab you, that is why don't look behind you." There have been no reports of serial killers linked to this virus; this is likely just intended to frighten those with infected devices.
Windows 10 and Windows 8
While the never-ending pop-ups happen, right-click on the Start button and click on "Command Prompt (Admin)". Type in the following command: taskkill /f /im conhost.exe. The command helps to stop the never-ending pop-ups, but not close them. After that, Command Prompt should close. After it closed, reopen it. And then type in the following command: taskkill /f /im runaway.exe. The command helps to close all the pop-ups. Do not close the command prompt window.
From the command prompt window, type in the command: cd C:/users/[the user's account name]/Desktop (the user's account name can be found on C:/Users, and the name of the folder with a padlock is the user's account name). And then type in: del *.* /s /q, but before typing in that command, make backups as the command deletes everything on the user's desktop. One way of making backups is creating a new folder on Local Disk (C: or D:) and naming the folder My Important Desktop Files. Select the users most important files on the user's desktop, the user has to press Ctrl+X on the user's keyboard, navigate to the user's My Important Desktop Files folder on Local Disk (C: or D:) and finally press Ctrl+V on the user keyboard. The transfer may take
several minutes. Once the transfer is complete the user can use the command.
After the "UR NEXT" files are deleted in the user's desktop, navigate to the user's My Important Desktop Files folder on Local Disk (C:/D:), press Ctrl+A on the user's keyboard and then Ctrl+X, go to the user's desktop, and then finally press Ctrl+V. Wait for the transfer to complete.
And then press Win+R to activate the Run box. Type in %temp% in the Run box and press Enter.
From the Temp folder, the user should see the window containing some files. From there, the user can see that it has written some files including the video used in the virus.
The files are:
- "icon.ico" is the "UR NEXT" icon.
- "v.mp4" is the video of the virus.
- "windl.bat" is the virus's code.
Now if the user wants to, the user can delete the files in the folder except for the subfolders. The Temp folder is where all of the temporary files are located.
Now delete the 7DDA.tmp folder.
And then create a text document. And then copy and paste the source code:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=-
And then save the document as a .reg file. Open the .reg file.
Right click on the user's desktop and click on Personalize. At the Background section, click on Solid color and choose Picture. Choose the first picture, which is the very left picture. And then refresh the user's desktop. Restart the user's computer.
Open Task Manager and navigate to Startup. Find miw.exe from the process list and click on Open file location. And then the user will see two files from the pop-up window, miw.exe and desktop.ini. Delete the files.
Search "user" and open User Accounts. From here the user can change the user's username back. the user may also change the user username. Click on Change your account name. And in the New account name box type in the user's original username or the users new username. and then click Change Name.
After all of it, restart for the changes to take effect.
To correct the "UR NEXT" icons on all TXT files, download FilesTypesMan and find TXT,
and then replace the in the Default Icon field of the TXT format and replace it's contents with "C:\Windows\System32\imageres.dll,7".
Making of the virusAccording to the MAKING OF video of this virus which is owned by the creator of this virus, this project was written in C# and Batch. It also said that the project consists of three main parts: 1) the window (containing a video view); 2) the "view logic" loading the video and changing some registry keys; and 3) a batch file doing some tasks while the video is playing. In the EXE properties, of course, everything is set as "000". It also said that they need admin rights, so they define it inside the app's manifest. He also said that he rebuilt this virus from scratch. To know more about the virus, play the video at the right.
- The first version of this virus had a website in which to download this virus. FlyTech Videos hasn't given the website URL in which to download 000.exe.
- The user can find the source code of this virus on the removal video at the part where the removal demonstrator opens "windl.bat" via Notepad.