Fandom

Malware Wiki

MEMZ

1,327pages on
this wiki
Add New Page
Comments147 Share

  MEMZ is a custom-made trojan on Microsoft Windows, originally created for Danooct1's Viewer-Made Malware series and intended to ridicule 'script kiddies'. It has gained fame and notoriety due to its highly-complex and unique payloads, usually internet memes as payloads.

Description

MEMZ is a trojan for Microsoft Windows. It was originally created for danooct1's "Viewer-Made Malware" series. This trojan has quite a few payloads, which all automatically activate after each other, with some delay.

It is available as a .exe file and a batch version. The batch version works like a self-extracting archive, which just extracts and runs the .exe out of itself.

It can be run by clicking on it.

Payloads

On newer versions of MEMZ, it gives a warning to the user not to run it on a physical machine as it will damage it and advises the user to run on a virtual machine.

If the user clicks OK to the two warning messages, MEMZ will run. When MEMZ is run, it will leave a note for you telling the user that they will not be able to use the computer anymore after rebooting it:

YOUR COMPUTER HAS BEEN F*CKED BY THE MEMZ TROJAN.


Your computer won't boot up again,
so use it as long as you can!

:D
           
           Trying to kill MEMZ will cause your system to be
           destroyed instantly, so don't try it :D

At the same moment, the computer's Master Boot Record is overwritten by MEMZ. Note that the message above is uncensored.

The payloads are meant to work on Windows XP and up, and fails on Windows 2000/ME or below. However, the final payload listed below still works on all versions of Windows.

Killing MEMZ via Task Manager or shutting down will cause a crash, as elaborated below. The moment you see this message and your computer runs on legacy BIOS, your operating system has already been replaced by a "Nyan Cat" animation, running as a custom bootloader, and your partition table will more likely be destroyed. If the drive uses GPT rather than MBR, "Nyan Cat" does not appear on startup, but the computer will still fail to boot anyways as the Windows Boot Manager will be unsuccessful.

The first payload inside of Windows is opening random websites, as well as Google searches at Google.co.ck:

  • Google.co.ck web searches for...
    • best way to kill yourself
    • how 2 remove a virus
    • mcaffee vs norton
    • how to send a virus to my friend
    • minecraft hax download no virus
    • how to get money
    • bonzi buddy download free
    • how 2 buy weed
    • how to code a virus in visual basic
    • what happens if you delete system32
    • g3t r3kt
    • batch virus download
    • virus.exe
    • internet explorer is the best browser
    • facebook hacking tool free download no virus working 2016
    • virus builder legit free download
    • how to create your own ransomware
    • how to remove memz trojan virus
    • my computer is doing weird things wtf is happenin plz halp
    • dank memz
    • how to download memz
    • half life 3 release date
    • is illuminati real
    • montage parody making program 2016
    • the memz are real
    • stanky danky maymays
    • john cena midi legit not converted
    • vinesauce meme collection
    • skrillex scay onster an nice sprites midi
  • answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
  • motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
  • play.clubpenguin.com
  • pcoptimizerpro.com
  • softonic.com

It may also open one of the following Windows applications:

  • calc.exe (Calculator)
  • notepad.exe (Notepad)
  • cmd.exe (Command Prompt)
  • write.exe (WordPad)
  • regedit.exe (Registry Editor)
  • explorer.exe (Windows Explorer)
  • taskmgr.exe (Task Manager)
  • msconfig.exe (System Configuration)
  • mspaint.exe (Paint)
  • devmgmt.msc (Device Manager)
  • control.exe (Control Panel)
  • mmc.exe (Microsoft Management Console)
Error lol

The "still using this computer?" error message

After a while, the trojan will start moving the mouse slightly, and messages taunting the user appear, getting more violent and rapid as time progresses. A bit after that, error icons start appearing everywhere and at the location of your mouse, plays many error sounds, and it will eventually take screenshots of your desktop and place them on top of each other, getting smaller and smaller each time (known as the "Tunnel" effect). It gets faster as time passes on. 

Trying to end the MEMZ process will, as mentioned above, pop up tons of "leetspeek" messages, and then crash the computer to a BSOD with error code 0xC0000022.

Rip pc

An example of some of the error messages when MEMZ.exe is closed

Here is a list of messages (none of the messages are censored):

  • YOU KILLED MY TROJAN! Now you are going to die.
  • REST IN P*SS, FOREVER MISS
  • I WARNED YOU...
  • HAHA N00B L2P G3T R3KT
  • You failed at your 1337 h4x0r skillz
  • YOU TRIED SO HARD AND GOT SO FAR, BUT IN THE END, YOUR PC WAS STILL F*CKED!
  • HACKER! ENJOY BAN!
  • GET BETTER HAX NEXT TIME xD
  • HAVE FUN TRYING TO RESTORE YOUR DATA :D
  • |\\/|3|\\/|2
  • BSOD INCOMING
  • VIRUS PRANK (GONE WRONG)
  • ENJOY THE NYAN CAT
  • Get dank antivirus m9!
  • You are an idiot! HA HA HA HA HA HA HA
  • #MakeMalwareGreatAgain
  • SOMEBODY ONCE TOLD ME THE MEMZ ARE GONNA ROLL ME
  • Why did you even tried to kill MEMZ? Your PC is f*cked anyway.
  • SecureBoot sucks.
  • gr8 m8 i r8 8/8
  • Have you tried turning it off and on again?
  • <Insert Joel quote here>
  • Greetings to all GAiA members!
  • Well, hello there. I don't believe we've been properly introduced. I'm Bonzi!
    • 'This is everything I want in my computer' – danooct1 2016 (not included in original version)
    • 'Uh, Club Penguin. Time to get banned!' – danooct1 2016 (not included in original version)

Restarting the computer shows the final payload, which relies on the first hard drive's MBR having been overwritten earlier (this also works on Windows 2000/ME and below, but does not work with GPT drives). Instead of booting into the operating system, the computer will display the message using a typewriter effect:

"Your computer has been trashed by the MEMZ Trojan. Now enjoy the Nyan Cat..."

This is followed by an animation of the Nyan Cat being played with the PC speakers producing the well-known soundtrack for the animation.

Ezgif.com-video-to-gif (3)

The custom Nyan Cat MBR

The last payload may not always work, and the computer may boot normally. If the computer was running UEFI BIOS, the computer still boots without Nyan Cat, but the partition table is still destroyed and Windows Boot Manager will become unsuccessful regardless.

Full List of Payloads

MEMZtrojanwin
According to Leurak
  • Random websites/random web searches open and random applications run
  • Movement of cursor
  • Random keyboard input
  • Error sounds (varies by operating system)
  • Screen inverting colors
  • Message boxes
  • Drawing error icons
  • Most text reversed (including the Start button text in Windows XP)
  • Screencap whole screen ("tunnel effect")
  • Screen glitches occur
  • MBR overwritten. Partition table may also be destroyed.

Other payloads (added later)

  • Crazy Bus-like random sounds

Name

MLG Antivirus03:14

MLG Antivirus

The MEMZ trojan is a misspelling on the word "Memes". This is why most parts of this trojan contain "leetspeek" and random web searches, Nyan Cat, and references to Materialisimo's video "MLG Antivirus". The creator of this trojan, Leurak, makes a few Joke Programs, like the Illuminati Joke Program, and the Earthquake joke program. Leurak's Channel
MEMZ 403:31

MEMZ 4.0 - The clean version (Including Download)

Showcase of the clean version

Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)09:14

Viewer-Made Malware 8 - MEMZ (Win32) (flashing lights warning)

Danooct1's video on MEMZ

Clean Version

MEMZ 4.0 Clean Version is a test release of the trojan, which allows the user to replicate the virus's audiovisual payloads itself. This version does not include the MBR overwrite, therefore allowing the PC to operate even after reboot, and uses a window with buttons for triggering/toggling payloads.

Leurak, the creator of the MEMZ trojan, recommends that the clean version of MEMZ is first tested on a virtual machine before it is used on a real one.

VineMEMZ

VineMEMZ is a variant of MEMZ, meant for Vinesauce Joel's Windows 10 Destruction. It's modified to only include Vinesauce-specific memes, like BonziBUDDY and the "flaming super-death sword" from CursorMania.

When run it will leave a note saying:

Thanks Joel for showing off my trojan on stream!   Please wait some time until the last payload activates, which is a very special one.
Hqdefault-0

The picture of John Cena

Payloads

  • Background changed to a Joel's edited version of a picture of Peter Norton
  • Plays a bad MIDI version of "Scary Monsters and Nice Sprites"
  • Spawns an animated Christmas tree
  • Random websites and web searches of different variety, such as "snow halation midi", open
  • Multiple copies of a picture of sad John Cena appear and move through the desktop in waves
  • Plays random sounds in the background, both error sounds and Crazy Bus-like sounds as in the normal edition
  • Instructional audio from the download website Softonic is played
  • After a while, the final payload occurs - explorer.exe is terminated, the screen goes black, and then after a few message boxes, a BonziBUDDY copy is run with a button to end the process. Ending the process will popup a same message box as the original MEMZ when terminated and crash the computer.
  • The MBR payload is replaced with a modified version of the title screen of the bootleg Mario game "7 GRAND DAD" which Joel once played, where the Mario lookalike is replaced with Felix the Cat ripping his face open, which is taken from an unlicensed Felix the Cat game for the Sega Genesis that Joel played on a different stream. The text "PUSH START BUTTON!" is replaced with "Thanks Joel for your awesome Streams!".
VineMEMZ (Win32)11:28

VineMEMZ (Win32)

Danooct1's video on VineMEMZ

Recognition

This trojan has gotten recognition ever since Danooct1 uploaded his review, for which it was originally made. Joel from Vinesauce used it in his "Windows 10 Destruction" stream, where he showcases MEMZ near the ending of the first livestream. He also thanks Danooct1 for helping with acquiring the trojan.
-Vinesauce- Joel - Windows 10 Destruction13:53

-Vinesauce- Joel - Windows 10 Destruction

Vinesauce Joel's Windows 10 Destruction

Many other people prank call IT scammers to 'help' them with removal of MEMZ on a virtual machine.

Removal

Capture-0

Windows reinstall setting.

The destructive version of MEMZ overwrites the first 64 KB of the first HDD. This affects the MBR and the partition table. By using bootable recovery media, such as a system restore, an MBR restore, a Windows installation disc/Windows reinstall or Linux-based live media, it should be possible to recover that.

MEMZ Removal02:36

MEMZ Removal.0 - Removal Video

MEMZ is also killable inside of Windows, using the command taskkill /f /im MEMZ.exe. This kills all processes of MEMZ without crashing the system. However, the HDD is still overwritten and Nyan Cat will launch after a reboot, requiring the user to repair the MBR using typical repair commands.

MEMZ Trojan on an EFI system (+ repair)09:10

MEMZ Trojan on an EFI system (+ repair)

Trivia

  • Contrary to popular belief, MEMZ isn't especially destructive, nor will it render computers inoperable. Users with basic knowledge on how to use the PC's recovery mode can easily return their computer to normal in a few minutes at most.
  • MEMZ officially only works on Windows XP or higher, it also runs on ReactOS, but is quite unstable and only the process terminating payload works. The clean version works on Linux under WINE, however, graphical payloads only work on certain Linux desktops/window managers. MEMZ works on Windows 95 and up (Windows 95, NT 4.0, 98, 2000, and ME), however, only the MBR payload works on 9x kernels (Windows 95, 98, and ME).
  • The source code of MEMZ can be found on GitHub.
  • It is currently unknown if MEMZ or other variants of this virus has entered the wild; Microsoft's own help desk has several questions related to MEMZ from confused (or inexperienced users) who ran the trojan without reading the warnings first, but as of 2017 there is no evidence that the trojan has been propagated through any traditional method. To prevent malicious users from deliberately spreading the trojan, currently only versions 4 (which has the disclaimer and non-destructive version bundled with the destructive version) and up are available to download.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.