Madoka.exe: Difference between revisions
Screamer1234 (talk | contribs) No edit summary |
(Add details by analyzing source code) |
||
| Line 11: | Line 11: | ||
|imagecaption = The '''Madoka.exe''' icon. | |imagecaption = The '''Madoka.exe''' icon. | ||
}} | }} | ||
'''Madoka.exe''', also known as the '''Ghost virus''' or the '''Sadako virus''' in Japan, was a | '''Madoka.exe''', also known as the '''Ghost virus''' or the '''Sadako virus''' in Japan, was a Taiwanese [[screamer]] program, which is a variant of the Win32/FlaGhost Malware. The original author is Qiwen Lin (林 啟文) and it's written in Hot Soup Processor programming language. | ||
== Payload == | == Payload == | ||
When the user runs the | When the user runs the malware by executing the EXE directly, a picture of a Japanese woman in full screen is displayed followed by a "introduce dialogue" text in the upper-left corner of the screen. However, a ghost version of the woman in the image will appear briefly along with a scream sound effect, before immediately returning to the original image. | ||
Before showing the initial payload, the malware will copy itself to Windows directory as ''ozawa.exe'' and try to append itself to ''win.ini'' in order to auto start with the OS. Judging from the decompiled source code, this only works on Win98/ME. On XP or higher, there is no ''Run'' section in ''win.ini'' and the malware would not work apart from the initial payload. | |||
If the malware is launched from the system directory with ''ozawa.exe'' as the name (either from auto start or double click manually in system directory), it will enter "reside mode" without showing the initial payload with the normal woman picture. Instead, it runs in background. It will then show the screamer image along with the scream sound effect indefinitely in the following interval: 3 minutes, 10 minutes, 30 minutes, 60 minutes, 60 minutes, 60 minutes ... | |||
If the user executes the original EXE once again after infection, the normal woman picture and a "meet-again dialogue" text will be shown and there is no screamer picture. | |||
The program also records the number of executions of the original EXE (not the one in system directory) in ''win.ini''. If it is run over 5 times, the malware will show the "bye dialogue" with the normal woman picture, then uninstall itself. | |||
== Dialogue == | |||
== Trivia == | |||
* The original EXE accepts arguments. The accepted arguments are shown below: | |||
** '''/inst''': Install to system directory silently, without the initial payload. | |||
** '''/unst''': Uninstall the installation | |||
** '''/ver''': Show an about dialog message box with version | |||
* According to the decompiled source code, holding down F10 when double clicking the original EXE will cause the malware to decompile itself and unpack all the assets and codes. However, this behavior is tested not working on a WinXP virtual machine. | |||
==Link== | ==Link== | ||
<u>NOTE</u>: The following application contains a [[screamer]]! | <u>NOTE</u>: The following application contains a [[screamer]]! | ||
Revision as of 15:25, 29 December 2022
 |
This page is about a screamer or shock site, whose original copy has been deleted. |
|---|
Madoka.exe, also known as the Ghost virus or the Sadako virus in Japan, was a Taiwanese screamer program, which is a variant of the Win32/FlaGhost Malware. The original author is Qiwen Lin (林 啟文) and it's written in Hot Soup Processor programming language.
Payload
When the user runs the malware by executing the EXE directly, a picture of a Japanese woman in full screen is displayed followed by a "introduce dialogue" text in the upper-left corner of the screen. However, a ghost version of the woman in the image will appear briefly along with a scream sound effect, before immediately returning to the original image.
Before showing the initial payload, the malware will copy itself to Windows directory as ozawa.exe and try to append itself to win.ini in order to auto start with the OS. Judging from the decompiled source code, this only works on Win98/ME. On XP or higher, there is no Run section in win.ini and the malware would not work apart from the initial payload.
If the malware is launched from the system directory with ozawa.exe as the name (either from auto start or double click manually in system directory), it will enter "reside mode" without showing the initial payload with the normal woman picture. Instead, it runs in background. It will then show the screamer image along with the scream sound effect indefinitely in the following interval: 3 minutes, 10 minutes, 30 minutes, 60 minutes, 60 minutes, 60 minutes ...
If the user executes the original EXE once again after infection, the normal woman picture and a "meet-again dialogue" text will be shown and there is no screamer picture.
The program also records the number of executions of the original EXE (not the one in system directory) in win.ini. If it is run over 5 times, the malware will show the "bye dialogue" with the normal woman picture, then uninstall itself.
Dialogue
Trivia
- The original EXE accepts arguments. The accepted arguments are shown below:
- /inst: Install to system directory silently, without the initial payload.
- /unst: Uninstall the installation
- /ver: Show an about dialog message box with version
- According to the decompiled source code, holding down F10 when double clicking the original EXE will cause the malware to decompile itself and unpack all the assets and codes. However, this behavior is tested not working on a WinXP virtual machine.
Link
NOTE: The following application contains a screamer!
- web.archive.org/web/20041106190224/geocities.co.jp/SiliconValley-Oakland/8358/mysoft/files/madoka08.zip
