A new worm that attempts to steal online banking credentials is propagating on Google's social-networking Web site.

The worm, dubbed MW.Orc, primarily targets Brazilian users of Google's Orkut Web site. It uses a message in Portuguese to entice people to click on a file that is disguised as a JPEG image, FaceTime Security Labs said in a statement.

The initial file, called "minhasfotos.exe," creates two additional files on a user's system, "winlogon_.jpg" and "wzip32.exe," . When the user, after the initial compromise, clicks on the "My Computer" icon in Windows , an e-mail with his or her personal data is sent to the anonymous attacker.

Additionally, the compromised computer may be added to a network of hijacked PCs, known as a botnet. The pest also tries to propagate by placing a malicious link on the profiles of people in the Orkut user's network.

Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.


Never bother to click on any links that sounds really unfamiliar to you even if it comes from your closest friend.

Here is how the scrap will look like.
“Opa, tudo bom? Eu criei um vídeo com uma seleção de minhas fotos novas, clica aí pra ver - h t t p :// y e p . i t / ? i k s t t v - Estão bem legais!!! “

What should you do?
Simply delete the scrap! As simple as that..

How does it spread?

It spreads through infected contacts. An orkut account gets infected once you click on the link. The Trojan posts a message in your friend's scrapbook area of the Orkut system. The message text is chosen by the attacker and can be a random sentence written in Brazilian Portuguese, such as the following:

Message example 1:
Opa, tudo bom? Eu criei um video com uma selecao de minhas fotos novas, clica ai pra ver - [MALICIOUS_LINK] - Esta bem legais!!!

Message example 2:
Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [MALICIOUS_LINK] - Sei que vai gostar

If users click on the link, a malicious file is downloaded, which is a copy of Infostealer.Orcu.

When Inforstealer.Orcu is executed, it performs a series of actions and infects your system.

What does this scrap in Portuguese mean anyway? I tried using a translator and this is what I got…
Opa, all good one? I created a video with an election of my photos new, clica pra to see there - h t t p :// y e p . i t / ? i k s t t v - I am well legal!

Name of the Trojan: Infostealer.Orcu

Norton’s Description: Infostealer.Orcu is a Trojan horse that attempts to steal confidential information, such as bank and Paypal accounts. It may arrive as a message spammed across the Orkut network.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Hackers are trying to steal Orkut users' bank account information by inserting an automated information theft worm, according to security researchers. The worm, known as MW.Orc, is propagating through Orkut when users launch an executable file disguised as a JPEG.

Google has a temporary fix in place and encourages Orkut users not to open suspicious files.

"We are aware of this issue and have a temporary fix in place. We are working on a more permanent solution for users to guard against these malicious efforts," said a representative from Google in a response emailed to Google Watch.
--------------------------------------------------
how to fix it
w32.USB Worm
It is spreading through Pen,USB,Thump disk thats why the name

It shows messages like

"I DNT HATE MOZILLA BUT USE IE OR ELSE..."

"USE INTERNET EXPLORER U DOPE"

"Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!" with title ORKUT IS BANNED

To Remove

1. Press CTRL+ALT+DEL and go to the processes tab

2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username

3. Press DEL to kill these files. It will give you a warning, Press Yes

4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!

5. Now open My Computer

6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.

7. Delete all the files here

9. Now go to Start --> Run and type Regedit

10. Go to the menu Edit --> Find

11. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"

12. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes

13. Now close the registry editor.

Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

Some reported that after this fix they were not able to see their Hidden folders and files if you have that issue try the folowing

1. Go to REGEDIT

2.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

3. set the DWORD "NoFolderOptions" to 0 or just delete it..

Try the following links also

1. http://www.freewebs.com/mgsujith/worm/remove.html

2. http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/

3. http://mgharish.blogspot.com/2007/05/i-dnt-hate-mozilla-orkut-is-banned.html