After completing the spreading routine, the worm will prevent access to Firefox. Anything linked to Firefox, including the installer, will be closed and replaced with the following Windows message.
USE INTERNET EXPLORER YOU DOPE I DNT HATE MOZILLA BUT USE IE OR ELSE...
The solution to this would be simple, just use Internet Explorer. However, the worm has added a list of blacklisted domains, which are all legit websites.
Trying to access these domains will display the following message and play a sound bite through the computer speakers.
<youtube/ORKUT> IS BANNED <youtube/Orkut> is banned you fool,The administrators didnt write this program guess who did?? MUHAHAHA!!
(All grammar mistakes are in-tact)
It will run in Task Manager as svchost under the user's username. The user can easily kill this process.
This virus also affects Google Chrome, it simply doesn't allow the user to access the blacklisted domains.
Once executed as "MicrosoftPowerPoint.exe" (the real executable name is POWERPNT.EXE), it will drop an autorun.inf file and a copy of itself to all drives on the system. Whenever the infected drives are installed onto another system, the worm will activate on that computer.