FANDOM


  MEMZ is a custom-made trojan on Microsoft Windows, originally created for Danooct1's Viewer-Made Malware series and intended to ridicule 'script kiddies'. It has gained fame and notoriety due to its highly-complex and unique payloads, usually internet memes as payloads. Mainly thought out as a joke virus.

Description

MEMZ is a trojan for Microsoft Windows. It was originally created for danooct1's "Viewer-Made Malware" series. This trojan has quite a few payloads, which all automatically activate after each other, with some delay.

It is available as a .exe file and a batch version. The batch version works like a self-extracting archive, which just extracts and runs the .exe out of itself.

Payloads

On newer versions of MEMZ, it gives a warning to the user not to run it on a physical machine as it will damage it and advises the user to run on a virtual machine.

If the user clicks OK to the two warning messages, MEMZ will run. When MEMZ is run, it will leave a note titled note.txt for you telling the user that they will not be able to use the computer anymore after rebooting it:

YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN.


Your computer won't boot up again,
so use it as long as you can!

:D
                    
Trying to kill MEMZ will cause your system to be
destroyed instantly, so don't try it :D

At the same moment, the computer's Master Boot Record is overwritten by MEMZ.

The payloads are meant to work on Windows XP and up, and fails on all versions of Windows 9x, and Windows 2000 and below. However, the final payload listed below still works on all versions of Windows.

Killing MEMZ via Task Manager or shutting down will cause a crash, as elaborated below. The moment you see this message and your computer runs on legacy BIOS, your operating system has already been replaced by a "Nyan Cat" animation, running as a custom bootloader, and your partition table will more likely be destroyed. If the drive uses GPT rather than MBR, "Nyan Cat" does not appear on startup, but the computer will still fail to boot anyways as the Windows Boot Manager will be unsuccessful.

The first payload inside of Windows is opening random websites, as well as Google searches at Google.co.ck (.ck is the country code top-level domain for the Cook Islands):

  • Google.co.ck web searches for...
    • best way to kill yourself
    • how 2 remove a virus
    • mcaffee vs norton
    • how to send a virus to my friend
    • minecraft hax download no virus
    • how to get money
    • bonzi buddy download free
    • how 2 buy weed
    • how 2 get weed out of ur system
    • how to code a virus in visual basic
    • what happens if you delete system32
    • g3t r3kt
    • batch virus download
    • virus.exe
    • internet explorer is the best browser
    • facebook hacking tool free download no virus working 2016
    • virus builder legit free download
    • how to create your own ransomware
    • how to remove memz trojan virus
    • my computer is doing weird things wtf is happenin plz halp
    • dank memz
    • how to download memz
    • half life 3 release date
    • is illuminati real
    • montage parody making program 2016
    • the memz are real
    • stanky danky maymays
    • john cena midi legit not converted
    • vinesauce meme collection
    • skrillex scay onster an nice sprites midi
  • answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
  • motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
  • play.clubpenguin.com (redirects to www.clubpenguinisland.com/download/)
  • pcoptimizerpro.com
  • softonic.com

It may also open one of the following Windows applications:

  • calc.exe (Calculator)
  • notepad.exe (Notepad)
  • cmd.exe (Command Prompt)
  • write.exe (WordPad)
  • regedit.exe (Registry Editor)
  • explorer.exe (Windows Explorer)
  • taskmgr.exe (Task Manager)
  • msconfig.exe (System Configuration)
  • mspaint.exe (Paint)
  • devmgmt.msc (Device Manager)
  • control.exe (Control Panel)
  • mmc.exe (Microsoft Management Console)
Error lol

The "still using this computer?" error message

After a while, the trojan will start moving the mouse slightly, and messages taunting the user appear, getting more violent and rapid as time progresses. A bit after that, error icons start appearing everywhere and at the location of your mouse, plays many error sounds, and it will eventually take screenshots of your desktop and place them on top of each other, getting smaller and smaller each time (known as the "Tunnel" effect). It gets faster as time passes on. 

Trying to end the MEMZ process will, as mentioned above, pop up tons of message boxes containing "leetspeek" , and then crash the computer to a BSOD with error code 0xC0000022.

Rip pc

An example of some of the error messages when MEMZ.exe is closed

Here is a list of messages:

  • YOU KILLED MY TROJAN! Now you are going to die.
  • REST IN PISS, FOREVER MISS
  • I WARNED YOU...
  • HAHA N00B L2P G3T R3KT
  • You failed at your 1337 h4x0r skillz
  • YOU TRIED SO HARD AND GOT SO FAR, BUT IN THE END, YOUR PC WAS STILL FUCKED!
  • HACKER! ENJOY BAN!
  • GET BETTER HAX NEXT TIME xD
  • HAVE FUN TRYING TO RESTORE YOUR DATA :D
  • |\\/|3|\\/|2
  • BSOD INCOMING
  • VIRUS PRANK (GONE WRONG)
  • ENJOY THE NYAN CAT
  • Get dank antivirus m9!
  • You are an idiot! HA HA HA HA HA HA HA
  • #MakeMalwareGreatAgain
  • SOMEBODY ONCE TOLD ME THE MEMZ ARE GONNA ROLL ME
  • Why did you even tried to kill MEMZ? Your PC is fucked anyway.
  • SecureBoot sucks.
  • gr8 m8 i r8 8/8
  • Have you tried turning it off and on again?
  • <Insert Joel quote here>
  • Greetings to all GAiA members!
  • Well, hello there. I don't believe we've been properly introduced. I'm Bonzi!
    • 'This is everything I want in my computer' – danooct1 2016 (not included in original version)
    • 'Uh, Club Penguin. Time to get banned!' – danooct1 2016 (not included in original version)

Restarting the computer shows the final payload, which relies on the first hard drive's MBR having been overwritten earlier (this also works on Windows 2000/ME and below, but does not work with GPT drives). Instead of booting into the operating system, the computer will display the message using a typewriter effect:

"Your computer has been trashed by the MEMZ Trojan. Now enjoy the Nyan Cat..."

This is followed by an animation of the Nyan Cat being played with the PC speakers producing the well-known soundtrack for the animation.

Ezgif.com-video-to-gif (3)

The custom Nyan Cat MBR

The last payload may not always work, and the computer may boot normally. If the computer was running UEFI BIOS, the computer still boots without Nyan Cat, however the partition table is still destroyed and Windows Boot Manager will become unsuccessful regardless.

Full List of Payloads

MEMZtrojanwin
According to Leurak
  • Random websites/random web searches open and random applications being opened
  • Movement of mouse cursor
  • Random keyboard input
  • Error sounds (varies by operating system)
  • Inverting colors
  • Message boxes poping up
  • Drawing error icons
  • Most text reversed (including the Start button text in Windows XP)
  • Screencap whole screen ("tunnel effect")
  • Screen glitches occur
  • MBR overwritten. Partition table may also be destroyed.

Other payloads (added later)

  • random 8-bit sounds

Name

The MEMZ trojan is a misspelling on the word "Memes". This is why most parts of this trojan contain "leetspeek" and random web searches, Nyan Cat, and references to Materialisimo's video "MLG Antivirus". The creator of this trojan, Leurak, makes a few Joke Programs, like the Illuminati Joke Program, and the Earthquake joke program. Leurak's Channel
MEMZ 403:31

MEMZ 4.0 - The clean version (Including Download)

Showcase of the clean version

Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)09:14

Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)

Danooct1's video on MEMZ

Clean Version

MEMZ 4.0 Clean Version is a test release of the trojan, which allows users to replicate the virus's audiovisual payloads itself. This version does not include the MBR overwrite, therefore allowing the PC to operate even after reboot, and uses a window with buttons for triggering/toggling payloads.

Leurak, the creator of the MEMZ trojan, recommends that the clean version of MEMZ is first tested on a virtual machine before it is used on a real one.

VineMEMZ

VineMEMZ is a variant of MEMZ, meant for Vinesauce Joel's Windows 10 Destruction. It is modified to only include Vinesauce-specific memes, like BonziBUDDY and the "flaming super-death sword" from CursorMania.

When started it will open a note saying:

Thanks Joel for showing off my trojan on stream!
Please wait some time until the last payload activates, which is a very special one.
Hqdefault-0

The picture of John Cena

Payloads

  • Background changed to a edited version of a picture of Peter Norton
  • Plays a MIDI version of "Scary Monsters and Nice Sprites" by Skrillex
  • Spawns an animated Christmas tree on the Desktop
  • Random websites and web searches of different variety, such as "snow halation midi", open
  • Multiple copies of a picture of John Cena appear and move over the desktop in a wave pattern
  • Plays the same random sounds in the background as the original MEMZ
  • Instructional audio from the download website Softonic is played
  • After a while, the final payload occurs - explorer.exe is terminated, the screen goes black, and then after a few message boxes, a BonziBUDDY copy is run with a button to end the process. Ending the process will crash the computer.
  • The MBR payload is replaced with a modified version of the title screen of the bootleg Mario game "7 GRAND DAD" which Joel once played, where the Mario lookalike is replaced with Felix the Cat ripping his face open, which is taken from an unlicensed Felix the Cat game for the Sega Genesis that Joel played on a different stream. The text "PUSH START BUTTON!" is replaced with "Thanks Joel for your awesome Streams!".
VineMEMZ (Win32)11:28

VineMEMZ (Win32)

Danooct1's video on VineMEMZ

Recognition

This trojan has gotten recognition ever since Danooct1 uploaded his review, for which it was originally made. Joel from Vinesauce used it in his "Windows 10 Destruction" stream, where he showcases MEMZ near the ending of the first livestream. He also thanks Danooct1 for helping with acquiring the trojan.
-Vinesauce- Joel - Windows 10 Destruction13:53

-Vinesauce- Joel - Windows 10 Destruction

Vinesauce Joel's Windows 10 Destruction

Many other people prank call IT scammers to 'help' them with removal of MEMZ on a virtual machine.

Removal

Capture-0

Windows reinstall setting.

The destructive version of MEMZ overwrites the first 64 KB of the first HDD. This affects the MBR and the partition table. By using bootable recovery media, such as a system restore, an MBR restore, a Windows installation disc/Windows reinstall or Linux-based live media, it should be possible to recover that.

MEMZ Removal02:36

MEMZ Removal.0 - Removal Video

MEMZ is also killable inside of Windows, using the command taskkill /f /im MEMZ.exe. This kills all processes of MEMZ without crashing the system. However, the HDD is still overwritten and Nyan Cat will launch after a reboot, requiring the user to repair the MBR using typical repair commands.

MEMZ Trojan on an EFI system (+ repair)09:10

MEMZ Trojan on an EFI system (+ repair)

Trivia

  • Contrary to popular belief, MEMZ isn't especially destructive, nor will it render computers inoperable. Users with basic knowledge on how to use the PC's recovery mode can easily return their computer to normal in a few minutes at most.
  • MEMZ officially only works on Windows XP or higher, it also runs on ReactOS, but is quite unstable and only the process terminating payload works. The clean version works on Linux under WINE, however, graphical payloads only work on certain Linux desktops/window managers. MEMZ works on Windows 95 and up (Windows 95, NT 4.0, 98, 2000, and ME), however, only the MBR payload works on 9x kernels (Windows 95, 98, and ME).
  • The source code of MEMZ can be found on GitHub.
  • It is currently unknown if MEMZ or other variants of this virus has entered the wild; Microsoft's own help desk has several questions related to MEMZ from confused (or inexperienced users) who ran the trojan without reading the warnings first, but as of 2017 there is no evidence that the trojan has been propagated through any traditional method. To prevent malicious users from deliberately spreading the trojan, currently only versions 4 (which has the disclaimer and non-destructive version bundled with the destructive version) and up are available to download.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.