FANDOM



MEMZ is a custom-made trojan for Microsoft Windows, originally created for the popular YouTuber Danooct1's Viewer-Made Malware series as a parody of a script kiddie's idea of dangerous malware. It has gained fame and notoriety due to its highly complex and unique payloads, many of which are based around internet memes. MEMZ is mainly thought of as a joke trojan.

Description

MEMZ is a trojan for Microsoft Windows. It was originally created for danooct1's "Viewer-Made Malware" series. This trojan has quite a few payloads, which all automatically activate after each other, with some delay.

It is available as an executable .exe file and a batch version. The batch version works like a self-extracting archive, which just extracts and runs the .exe out of itself.

Payloads

Newer versions of MEMZ Destructive, 4.0 and up, warn the user not to run it on a physical machine as it will damage it and advise the user to run the trojan on a virtual machine.

If the user answers Yes to both warning messages, MEMZ will run. At the same time, it will leave a note titled note.txt for the user saying that they will not be able to use the computer anymore after rebooting it[1]:

YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN.


Your computer won't boot up again,
so use it as long as you can!

:D
 
 Trying to kill MEMZ will cause your system to be 
 destroyed instantly, so don't try it :D

At the same moment, the computer's Master Boot Record is overwritten by MEMZ.

Run MEMZ Trojan on Mac OS X

Run MEMZ Trojan on Mac OS X

MEMZ running under Mac OS X 10.8 Mountain Lion, after being converted with WineBottler. As seen here, only the dialog box and MBR overwriting payloads are functional.

The payloads are meant to work on Windows XP and up, failing on all versions of Windows 9x, especially Windows 98 and below. However, the MBR overwrite payload works on all Windows versions from 95 onwards. It is also possible to launch MEMZ on Mac OS X by converting it from .exe to .app with WineBottler or launching the .exe in Wine or Crossover, although only the dialog box and MBR overwriting payload are functional.

MEMZ Destructive launches multiple instances of itself - one renders the payloads, while the other guard each other and trigger killWindows()[2], which creates a rain of message boxes and crashes the PC as elaborated further down.

The MBR payload written while note.txt gets opened is a "Nyan Cat" animation running as a custom bootloader, and this write is likely to break your partition table. If the installed system uses an EFI bootloader, "Nyan Cat" does not appear on startup due to different booting schemes, but the computer will still fail to boot as the EFI system partition will be impossible to find due to the partition table being broken.

The first payload inside of Windows is opening random websites, as well as Google searches at Google.co.ck (.ck is the country code top-level domain for the Cook Islands). The following can appear[3]:

  • Google.co.ck web searches for...
    • best way to kill yourself
    • how 2 remove a virus
    • mcaffee vs norton
    • how to send a virus to my friend
    • minecraft hax download no virus
    • how to get money
    • bonzi buddy download free
    • how 2 buy weed
    • how 2 get weed out of ur system
    • how to code a virus in visual basic
    • what happens if you delete system32
    • g3t r3kt
    • batch virus download
    • virus.exe
    • internet explorer is the best browser
    • facebook hacking tool free download no virus working 2016
    • virus builder legit free download
    • how to create your own ransomware
    • how to remove memz trojan virus
    • my computer is doing weird things wtf is happenin plz halp
    • dank memz
    • how to download memz
    • half life 3 release date
    • is illuminati real
    • montage parody making program 2016
    • the memz are real
    • stanky danky maymays
    • john cena midi legit not converted
    • vinesauce meme collection
    • skrillex scay onster an nice sprites midi
  • answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
  • motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
  • play.clubpenguin.com (redirects to www.clubpenguinisland.com/download/)
  • pcoptimizerpro.com
  • softonic.com

It may also open one of the following Windows applications:

  • calc.exe (Calculator)
  • notepad.exe (Notepad)
  • cmd.exe (Command Prompt)
  • write.exe (WordPad)
  • regedit.exe (Registry Editor)
  • explorer.exe (Windows Explorer)
  • taskmgr.exe (Task Manager)
  • msconfig.exe (System Configuration)
  • mspaint.exe (Paint)
  • devmgmt.msc (Device Manager)
  • control.exe (Control Panel)
  • mmc.exe (Microsoft Management Console)
Error lol

The "still using this computer?" error message

After a while, the trojan will start randomly moving the mouse slightly, and messages taunting the user appear (see image), getting more violent and rapid as time progresses. A bit later, warning icons get drawn at random coordinates and error icons get drawn below the cursor by PayloadDrawErrors, the trojan plays error sounds through the PayloadSound payload, and the PayloadTunnel payload copies your screen's contents and place them on top of your screen, getting smaller and smaller each time (known as the "Tunnel" effect). It gets faster as time passes on. 

Trying to end the MEMZ process will, as mentioned above, start killWindows(), which pops up tons of message boxes containing "leetspeek" messages, and then crash the computer to a BSOD using NtRaiseHardError, an undocumented ntdll call, with error code 0xC0000022.

Rip pc

An example of some of the error messages when MEMZ.exe is closed

Here is a list of the messages that this payload shows[4]:

  • YOU KILLED MY TROJAN! Now you are going to die.
  • REST IN PISS, FOREVER MISS
  • I WARNED YOU...
  • HAHA N00B L2P G3T R3KT
  • You failed at your 1337 h4x0r skillz
  • YOU TRIED SO HARD AND GOT SO FAR, BUT IN THE END, YOUR PC WAS STILL FUCKED!
  • HACKER! ENJOY BAN!
  • GET BETTER HAX NEXT TIME xD
  • HAVE FUN TRYING TO RESTORE YOUR DATA :D
  • |\\/|3|\\/|2
  • BSOD INCOMING
  • VIRUS PRANK (GONE WRONG)
  • ENJOY THE NYAN CAT
  • Get dank antivirus m9!
  • You are an idiot! HA HA HA HA HA HA HA
  • #MakeMalwareGreatAgain
  • SOMEBODY ONCE TOLD ME THE MEMZ ARE GONNA ROLL ME
  • Why did you even tried to kill MEMZ? Your PC is fucked anyway.
  • SecureBoot sucks.
  • gr8 m8 i r8 8/8
  • Have you tried turning it off and on again?
  • <Insert Joel quote here>
  • Greetings to all GAiA members!
  • Well, hello there. I don't believe we've been properly introduced. I'm Bonzi!
    • 'This is everything I want in my computer' – danooct1 2016 (not included in original version)
    • 'Uh, Club Penguin. Time to get banned!' – danooct1 2016 (not included in original version)

Restarting the computer shows the final payload, dropped earlier during the MBR overwrite (this also works on Windows 2000/ME and below, but does not work with systems that use EFI bootloaders). Instead of booting into the operating system, the computer will display the message using a typewriter effect:

"Your computer has been trashed by the MEMZ Trojan. Now enjoy the Nyan Cat..."

This is followed by an animation of the Nyan Cat being played with the PC speakers producing the well-known soundtrack for the animation.

Ezgif.com-video-to-gif (3)

The custom Nyan Cat MBR

The last payload may not always work, and the computer may boot normally. If the installed system uses an EFI bootloader, the computer still boots without Nyan Cat due to the different boot process, however the partition table is still destroyed and the EFI system partition cannot be found.

Full List of Payloads

MEMZtrojanwin
According to Leurak (parentheses contain payload names or locations in source code)
  • Random websites/random web searches open and random applications being opened (PayloadExecute)
  • Movement of mouse cursor (PayloadCursor)
  • Random keyboard input (PayloadKeyboard)
  • Error sounds (varies by operating system) (PayloadSound)
  • Inverting colors (PayloadInvert)
  • Message boxes popping up (PayloadMessageBox)
  • Drawing error icons (PayloadDrawErrors)
  • Most text reversed (including the Start button text in Windows XP) (PayloadReverseText)
  • Screencap whole screen ("tunnel effect") (PayloadTunnel)
  • Screen glitches occur (PayloadScreenGlitches)
  • MBR overwritten. Partition table may also be destroyed. (part of Destructive/Main.c)

Other payloads (added later)

  • random 8-bit sounds in the style of the Crazy Bus game (PayloadCrazyBus)[5]

Name

The MEMZ trojan is a leetspeek-style misspelling of the word "Memes". This is why most parts of this trojan contain leetspeek and random web searches, Nyan Cat, and references to Materialisimo's video "MLG Antivirus". The creator of this trojan, Leurak, makes a few Joke Programs, like the Illuminati Joke Program, and the Earthquake joke program. Leurak's Channel
MEMZ 4

MEMZ 4.0 - The clean version (Including Download)

Showcase of the clean version

Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)

Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)

Danooct1's video on MEMZ

Clean Version

MEMZ 4.0 Clean Version is a benign version of the trojan, which allows users to replicate the trojan's audiovisual payloads itself. This version does not include the MBR overwrite, therefore allowing the PC to operate even after reboot, and uses a dialog box for triggering/toggling payloads.

Leurak, the creator of the MEMZ trojan, recommends that the clean version of MEMZ is first tested on a virtual machine before it is used on a real one.

VineMEMZ

VineMEMZ is a variant of MEMZ, created for Vinesauce Joel's Windows 10 Destruction. It is modified to only include Vinesauce-specific memes, like BonziBUDDY and the "burning super-death sword" from CursorMania.

When started it will open a note saying:

Thanks Joel for showing off my trojan on stream!
Please wait some time until the last payload activates, which is a very special one.

At the same time, the alternate MBR payload gets written.

Protection

The image of Peter Norton on VineMEMZ

Hqdefault-0

The picture of John Cena

Payloads

  • Background changed to a edited version of a picture of Peter Norton, from Mac Destruction (payloadChangeDesktop)
  • Plays a MIDI version of "Scary Monsters and Nice Sprites" by Skrillex, from Windows 7 Destruction
  • Spawns an animated Christmas tree on the Desktop, from Windows 7 Destruction (payloadTree)
  • Random websites and web searches of different variety, such as "snow halation midi", open (payloadExecute)
  • The cursor changes to the "burning super-death sword" from CursorMania (payloadChangeCursor)
  • Simplistic penis gets spraypainted with the MS Paint spray tool to the desktop, accompanied by the Joel quote "Who's been drawing DICKS?" (payloadAnimation)
  • Multiple copies of a picture of John Cena appear and move over the desktop in a wave pattern in reference to Windows 8 Destruction (payloadAnimation)
  • The screen color-shifts slightly about once per second (payloadColors)
  • Random sounds: "succ" and "kup teraz" both courtesy of Joel, from Windows XP Destruction (payloadJoelSounds), as well as the 8-bit Crazy Bus-style sounds from the original MEMZ (payloadCrazyBus)
  • Instructional audio from the download website Softonic is played
  • After a while, the final payload occurs - explorer.exe is terminated, the screen goes black, and then after a few message boxes, a BonziBUDDY copy is run with a button to end the process. Ending the process will crash the computer. (payloadBonzi)
  • The MBR payload is replaced with a modified version of the title screen of the bootleg Mario game "7 GRAND DAD" which Joel once played, with the Mario lookalike replaced by Felix the Cat ripping his face open, which is taken from an unlicensed Felix the Cat game for the Sega Genesis that Joel played on a different stream. The text "PUSH START BUTTON!" is replaced with "Thanks Joel for your awesome Streams!". (MBR write is part of main.cpp, payload is an assembly program)
VineMEMZ (Win32)

VineMEMZ (Win32)

Danooct1's video on VineMEMZ

Recognition

This trojan has gotten recognition ever since Danooct1 uploaded his review, for which it was originally made. Joel from Vinesauce used it in his "Windows 10 Destruction" stream, where he showcases MEMZ near the ending of the first livestream. He also thanks Danooct1 for helping with acquiring the trojan.
-Vinesauce- Joel - Windows 10 Destruction

-Vinesauce- Joel - Windows 10 Destruction

Vinesauce Joel's Windows 10 Destruction

Many other people prank call IT scammers, asking them for 'help' with removal of MEMZ on a virtual machine.

Removal

Capture-0

Windows reinstall setting.

The destructive version of MEMZ overwrites the first 64 KB of the boot drive. This affects the MBR and the partition table. By using bootable recovery media, such as a Windows installation disc or Linux-based live media, it's possible to recover from this.

MEMZ Removal

MEMZ Removal.0 - Removal Video

MEMZ can be killed with tools provided by Windows using the command taskkill /f /im MEMZ.exe. This kills all the instances of MEMZ before they get a chance to notice, preventing killWindows() from being started. However, the drive is still overwritten and Nyan Cat will launch after a reboot, requiring the user to fix the MBR using typical repair commands.

MEMZ Trojan on an EFI system (+ repair)

MEMZ Trojan on an EFI system (+ repair)

Trivia

  • Contrary to popular belief, MEMZ isn't especially destructive, nor will it render computers inoperable forever. Users with basic knowledge on how to use the PC's recovery mode can easily return their computer to normal in a few minutes at most.
  • MEMZ officially only works on Windows XP or higher, it also runs on ReactOS, but is quite unstable and only the process terminating payload works. The clean version works on Linux under WINE, however, the audiovisual payloads only work on certain Linux desktops/window managers. MEMZ works on Windows 95 and up (Windows 95, NT 4.0, 98, 2000, and ME), however, only the MBR payload works on 9x systems (Windows 95, 98, and ME).
  • The source code of MEMZ can be found on Leurak's GitHub. The README.md file lists the dependencies, but the build procedure is – most likely intentionally – not described outright.
  • It is currently unknown if MEMZ or other variants of this trojan has entered the wild; Microsoft's own help desk has several questions related to MEMZ from confused (or inexperienced users) who ran the trojan without reading the warnings first, but as of 2018 there is no evidence that the trojan has been propagated through any traditional method. To prevent malicious users from deliberately spreading the trojan, currently only versions 4 (which has the disclaimer and non-destructive version bundled with the destructive version) and up are available to download.

Template

  • This virus is the subject of a template on this wiki, which is shown below.

References