Published at : 31 Oct 2020
The MeltingScreen worm claims to be a cool new screensaver, as long as you have the visual basic runtimes installed! Instead of being just a screensaver, the worm activates very maliciously. Since I have a hard time explaining things while recording, here's how it drops files in the Windows folder:
When a new, uninfected file is run, MeltingScreen copies that file to a new .BIN file (so calc.exe would become calc.bin). The worm then creates a new file called calc.exe, which is the worm itself.
The worm then runs a completely random .EXE file from the same directory. Once again, when it runs this file, it replaces it with the .bin file and a copy of itself. Whenever you try to run a MeltingScreen EXE file, the worm runs something completely random. This makes it next to impossible to use your computer following a reboot, as attempting to run a program will run something entirely different.
After a suitable number of files have been replaced in this manner, the worm begins its "screensaver" routine, which is a very neat looking melting effect. Users would be unaware that they were viewing anything other than the screensaver they expected, up until the point where anything the user runs causes the melting effect instead. Very malicious, very annoying, but very, very cool-looking.