...and a Happy New Year!
MrsMajor.exe
MrsMajor.exe (also known as BossDaMajor.exe) are series of screamer applications developed by Elektro Berkay. The trojan gained notoriety after YouTube user Siam Alam created a showcase video about it. Elektro Berkay later developed MrsMajor2.0.exe and MrsMajor3.0.exe, which were also featured on Siam Alam's channel.
According to the description, BossDaMajor.exe originated in Turkey and was created in 2017.
Payload
BossDaMajor.exe
Upon execution, BossDaMajor.exe opens Notepad and displays a message that reads:
Start to CRY! WHAT I WANT FROM YOU IS DoNT'scxhcar__?-#__3871h--__.....DONT CLICK ANYTHING! =Created by BeRkaY_the_Coder Elektro Berkay=
The trojan proceeds to flood the user's desktop with numerous text files named "MRS MAJOR WANTS TO MEET YOU" which contain the text "MRS MAJOR IS BEHIND OF YOU!".
After, it launches Windows Media Player and plays a copy of the video Ghost Caught on Tape.[1] Simultaneously, a window titled "Cute Doll!" appears on the screen, displaying the message "MrsMajor Wants TO MEET YOU!". It then logs out the user and forces a restart.
Upon restarting, the trojan changes the desktop background to an image of skulls, replaces file icons with a skull icon, and replaces the cursor with a skull and crossbones icon. It also disables essential system utilities such as Task Manager and Windows Defender.
A window titled "MrMajor" appears, displaying a flashing and moving image of a frightening doll. Attempting to close this window results in it immediately reopening. "Thresh, the Chain Warden" from League of Legends plays in the background.
MrsMajor2.0.exe
Upon execution, MrsMajor2.0.exe presents the user with an end-user license agreement (EULA) warning them that running the trojan will destroy the computer. After accepting the EULA, the trojan launches its payload.
First, it proceeds to fill the desktop with multiple invalid .exe files named "HUMANS ARE TASTY." Then, it flashes multiple copies of the doll image from BossDaMajor.exe across the screen, and then forces a restart.
Upon restarting, the trojan changes the desktop background to an image of Annabelle from The Conjuring franchise, replaces the default cursor with a GIF image of an eyeball looking around, and replaces the icons of the newly created .exe files on the desktop with the same icon as the trojan itself.
It then opens a window displaying the doll image from BossDaMajor.exe with various distorting visual effects. The bottom right of the window features a countdown timer starting at 5:00, while the bottom left corner has a button labeled “Show Rules”. When clicked, it opens a new window presenting a list of rules the user must follow:
Your computer has been infected by MrsMajor If you dont attend rules, your computer will be "Trash" Theese are rules: +If timer runs out, your computer won't work anymore +If you ATTEMPT to kill any process, your PC will die +Do NOT delete any virus files. +Uninstall your antivirusses. They may try to remove virus. +Do not run Taskmanager, cmd, sethc, +Do NOT use safe mode. +Do NOT Remove any registries from msconfig etc.. Or Your PC Will not be able to boot up..
Similar to BossDaMajor.exe, "Thresh, the Chain Warden" plays in the background.
MrsMajor2.0.exe prevents users from opening Task Manager. If the user attempts to open Task Manager, the words "THERE IS NO ESCAPE" flash on the screen one by one.
If the user breaks one of the rules, or if the timer reaches zero, the screen is bombarded with multiple flashing copies of the doll image. Simultaneously, the original window's image becomes distorted by chromatic aberration. Similar to the Task Manager payload, the words "THERE IS NO ESCAPE" flash on the screen one by one.
Then, the trojan triggers a red Screen of Death (RSoD) and overrides logonui.exe. The RSoD reads:
A problem has been detected and windows has been shutdown to prevent damage to your computer. TROJANS_NEVER_JOKE_RESPECT_THE_TROJANS If this is first time you have seen this screen you are infected by MrsMajor.exe and you broke rules. It is unacceptable. However, your computer wont be able to boot up. Because logonui.exe is missing.. If problems continue, contact the virus owner or disable ur bios memory. Jk second way wont work. Do not waste your time. Everytime you boot up your computer, this screen will appear. If you want to contact virus creator, here is the mail: mskonsol11@gmail.com Theese are fake technical informations: *** STOP: 0x00D1 (0x00C,0x002,0x00,0xF86B5A89) Address F86B5A89 base at F86B5000, DateStamp 3dd9919eb *** Beginning dump of physical memory.. Physical memory dump complete. Windows can't reboot. shutdown.exe is missing. Fix your system. Eh, if its possible.
When the user restarts the machine, it will display the RSoD.
MrsMajor3.0.exe
When MrsMajor3.0.exe is executed, it prompts the user to enter an authorization code in order to decrypt and run the trojan. Once the code is entered, the trojan asks the user if they would like to view the list of rules, and if the user accepts, it displays a message that reads:
Searching keywords on google such as "antivirus download". "malwarebytes download". "do i have a virus" is not allowed. If you do, you'll get prompted with a blue screen explaining you why your computer just ran into a crash. Using 3rd party tools is not allowed. You'll get a BSoD again. Once the malware runs out of blood, you'll get your LogonUI overwritten. If you fix your LogonUI, you'll get your boot sector overwritten just like your System32 files. So don't do that ig. This program can't be ran on a real machine. (VM Only) Have fun! Elektro Berkay / MoonCon - tobiaddr0c#3158
After a couple of seconds, the trojan changes the desktop background to an image of a dark forest and forces a system restart.
Upon restarting, an edited image of the doll from the previous versions of MrsMajor appears, featuring blood dripping from its eyes and mouth, as well as several bloody holes in its forehead. Next to the doll is a vertical red meter labeled “Blood Left:” which gradually depletes over time. "Song of Unhealing" from the BEN Drowned creepypasta plays in the background.
The trojan overlays the screen with a translucent red filter, and small red circles and rectangles resembling drops of blood surround the screen. Shortly after, blood begins dripping down from the top of the screen. This overlay remains visible on top of any other open windows. The trojan also replaces the default cursor with a black and red cursor.
If the blood meter fully depletes, or the user breaks one of the rules, the trojan triggers a Blue Screen of Death (BSoD) with the stop code CRITICAL PROCESS DIED
. It overrides logonui.exe with a distorted image of the doll with an open mouth and bleeding eyes, accompanied by the text:
I own not only your thoughts but also your machine.
If MrsMajor3.0 detects that logonui.exe has been fixed, it displays an error window titled "uh oh" that reads "You messed up.." upon booting into Windows. Subsequently, it triggers a BSoD and overrides the Master Boot Record (MBR) with the message:
You are not very smart. Are you? Situation of your disk is even worse now.
Notes
- ↑ The video may not play to completion due to the forced logout and restart routine.
Showcases
Link
NOTE: The following application contains a screamer as well as a malicious script that will harm your computer!
- github.com/NotReal96/Malware/blob/master/MrsMajor.md