Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search

Notresponsiblesymbol.pngThis page contains either a download link to the malware or is a malicious website that is still active. Malware Wiki shall bear NO responsibility for any damage that you may cause to your machine by running the download or going to the site.

Programming LanguageC++, Assembly and Python
PlatformMicrosoft Windows
File Type.exe, .bat
Alias(es)Trojan.Win32.MEMZ, Bootkit.Win32.MEMZ
This box: view  talk  edit

MEMZ is a custom-made trojan for Microsoft Windows, originally created for the popular YouTuber Danooct1's Viewer-Made Malware series as a parody of a script kiddie's idea of dangerous malware. It has gained fame and notoriety due to its highly complex and unique payloads, many of which are based around internet memes. MEMZ is mainly thought of as a joke trojan.

It is available as an executable .exe file and a batch version. The batch version works like a self-extracting archive, which just extracts and runs the .exe out of itself.

The MEMZ trojan is a leetspeek-style misspelling of the word "Memes". This is why most parts of this trojan contain leetspeek and random web searches, Nyan Cat, and references to Materialisimo's video "MLG Antivirus". The creator of this trojan, Leurak, makes a few Joke Programs, like the Illuminati Joke Program, and the Earthquake joke program. Leurak's Channel].

This trojan has gotten recognition ever since Danooct1 uploaded his review, for which it was originally made. Joel from Vinesauce used it in his "Windows 10 Destruction" stream, where he showcases MEMZ near the ending of the first livestream. He also thanks Danooct1 for helping with acquiring the trojan.

Contrary to popular belief, MEMZ isn't especially destructive, nor will it render computers inoperable forever. Users with basic knowledge on how to use the PC's recovery mode can easily return their computer to normal in a few minutes at most.

The source code of MEMZ used to be found on Leurak's GitHub, but sometime after January 14th, 2020, the Github repository was removed. The README.md file lists the dependencies, but the build procedure is – most likely intentionally – not described outright.

It is currently unknown if MEMZ or other variants of this trojan has entered the wild; Microsoft's own help desk has several questions related to MEMZ from confused (or inexperienced users) who ran the trojan without reading the warnings first, but as of 2018 there is no evidence that the trojan has been propagated through any traditional method. To prevent malicious users from deliberately spreading the trojan, currently, only versions 4 (which has the disclaimer and non-destructive version bundled with the destructive version) and up are available to download.


Newer versions of MEMZ Destructive, 4.0 and up, warn the user not to run it on a physical machine as it will damage it and advise the user to run the trojan on a virtual machine.

If the user answers Yes to both warning messages, MEMZ will run. At the same time, it will leave a note titled note.txt for the user saying that they are unable to use the computer anymore after rebooting it<ref>GitHub: Leurak/MEMZ/WindowsTrojan/Data/Note.txt</ref>:


Your computer won't boot up again,
so use it as long as you can!

        Trying to kill MEMZ will cause your system to be 
        destroyed instantly, so don't try it :D

At the same moment, the computer's Master Boot Record is overwritten by MEMZ.

The payloads are meant to work on Windows XP and up, failing on all previous versions of Windows due to missing API calls.

MEMZ Destructive launches multiple instances of itself - one renders the payloads, while the other guard each other and trigger killWindows()<ref>GitHub: Leurak/MEMZ/WindowsTrojan/Source/Destructive/KillWindows.c</ref>, which creates a rain of message boxes and crashes the PC as elaborated further down.

The MBR payload written while note.txt gets opened is a "Nyan Cat" animation running as a custom bootloader, and this write is likely to break your partition table. If the installed system uses an EFI bootloader, "Nyan Cat" does not appear on startup due to different booting schemes, but the computer will still fail to boot as the EFI system partition will be impossible to find due to the partition table being broken.

The first payload inside of Windows is opening random websites, as well as Google searches at Google.co.ck (.ck is the country code top-level domain for the Cook Islands). The following can appear<ref>GitHub: Leurak/MEMZ/WindowsTrojan/Data/Sites.txt</ref>:

  • Google.co.ck web searches for...
    • best way to kill yourself
    • how 2 remove a virus
    • mcaffee vs norton
    • how to send a virus to my friend
    • minecraft hax download no virus
    • how to get money
    • bonzi buddy download free
    • how 2 buy weed
    • how 2 get weed out of ur system
    • how to code a virus in visual basic
    • what happens if you delete system32
    • g3t r3kt
    • batch virus download
    • virus.exe
    • internet explorer is the best browser
    • facebook hacking tool free download no virus working 2016
    • virus builder legit free download
    • how to create your own ransomware
    • how to remove memz trojan virus
    • my computer is doing weird things wtf is happenin plz halp
    • dank memz
    • how to download memz
    • half life 3 release date
    • is illuminati real
    • montage parody making program 2016
    • the memz are real
    • stanky danky maymays
    • john cena midi legit not converted
    • vinesauce meme collection
    • skrillex scay onster an nice sprites midi
  • answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
  • motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
  • play.clubpenguin.com (redirects to www.Disney.com as Club Penguin and Club Penguin Island have shut down)
  • pcoptimizerpro.com
  • softonic.com

It may also open one of the following Windows applications:

  • calc.exe (Calculator)
  • notepad.exe (Notepad)
  • cmd.exe (Command Prompt)
  • write.exe (WordPad)
  • regedit.exe (Registry Editor)
  • explorer.exe (Windows Explorer)
  • taskmgr.exe (Task Manager)
  • msconfig.exe (System Configuration)
  • mspaint.exe (Paint)
  • devmgmt.msc (Device Manager)
  • control.exe (Control Panel)
  • mmc.exe (Microsoft Management Console)

After a while, the trojan starts randomly moving the mouse slightly, and messages taunting the user appear (see image), getting more violent and rapid as time progresses. A bit later, warning icons get drawn at random coordinates and error icons get drawn below the cursor by PayloadDrawErrors, the trojan plays error sounds through the PayloadSound payload, and the PayloadTunnel payload copies your screen's contents and place them on top of your screen, getting smaller and smaller each time (known as the "Tunnel" effect). It gets faster as time passes on. 

Trying to end the MEMZ process will, as mentioned above, start killWindows(), which pops up tons of message boxes containing "leetspeek" messages, and then crash the computer to a BSOD using NtRaiseHardError, an undocumented ntdll call, with error code 0xC0000022.

Here is a list of the messages that this payload shows<ref>GitHub: Leurak/MEMZ/WindowsTrojan/Data/killMessages.txt</ref>:

  • YOU KILLED MY TROJAN! Now you are going to die.
  • HAHA N00B L2P G3T R3KT
  • You failed at your 1337 h4x0r skillz
  • |\\/|3|\\/|2
  • Get dank antivirus m9!
  • You are an idiot! HA HA HA HA HA HA HA
  • #MakeMalwareGreatAgain
  • Why did you even tried to kill MEMZ? Your PC is fucked anyway.
  • SecureBoot sucks.
  • gr8 m8 i r8 8/8
  • Have you tried turning it off and on again?
  • <Insert Joel quote here>
  • Greetings to all GAiA members!
  • Well, hello there. I don't believe we've been properly introduced. I'm Bonzi!
    • 'This is everything I want in my computer' – danooct1 2016 (not included in the original version)
    • 'Uh, Club Penguin. Time to get banned!' – danooct1 2016 (not included in the original version)

Restarting the computer shows the final payload, dropped earlier during the MBR overwrite (this also works on Windows 2000/ME and below, but does not work with systems that use EFI bootloaders). Instead of booting into the operating system, the computer will display the message using a typewriter effect:

"Your computer has been trashed by the MEMZ Trojan. Now enjoy the Nyan Cat..."

This is followed by an animation of the Nyan Cat being played with the PC speakers producing the well-known soundtrack for the animation.

The last payload may not always work, and the computer may boot normally. If the installed system uses an EFI bootloader, the computer still boots without Nyan Cat due to the different boot process. However, the partition table is still destroyed and the EFI system partition cannot be found.

  • Random websites/random web searches open and random applications being opened (PayloadExecute)
  • Movement of the mouse cursor (PayloadCursor)
  • Random keyboard input (PayloadKeyboard)
  • Error sounds (varies by the operating system) (PayloadSound)
  • Inverting colors (PayloadInvert)
  • Message boxes popping up (PayloadMessageBox)
  • Drawing error icons (PayloadDrawErrors)
  • Most text reversed (including the Start button text in Windows XP) (PayloadReverseText)
  • Screencap whole screen ("tunnel effect") (PayloadTunnel)
  • Screen glitches occur (PayloadScreenGlitches)
  • MBR is overwritten. Partition table may also be destroyed. (part of Destructive/Main.c)

Other payloads (added later)

Clean Version

MEMZ 4.0 Clean Version is a benign version of the trojan, which allows users to replicate the trojan's audiovisual payloads itself. This version does not include the MBR overwrite, therefore allowing the PC to operate even after reboot, and uses a dialog box for triggering/toggling payloads.

Leurak, the creator of the MEMZ trojan, recommends that the clean version of MEMZ is first tested on a virtual machine before it is used on a real one.


VineMEMZ is a variant of MEMZ, created for Vinesauce Joel's Windows 10 Destruction. It is modified to only include Vinesauce-specific memes, like BonziBUDDY and the "burning super-death sword" from CursorMania.

When started it will open a note saying:

Thanks Joel for showing off my trojan on stream!
Please wait some time until the last payload activates, which is a very special one.

At the same time, the alternate MBR payload gets written.


The background changes to an edited version of a picture of Peter Norton, from Mac Destruction. The virus can play a MIDI version of "Scary Monsters and Nice Sprites" by Skrillex. The virus spawns an animated Christmas tree on the Desktop. The virus can search random websites and web searches of a different variety, such as "snow halation midi". The cursor can change to the "burning super-death sword" from CursorMania. The virus can spraypaint a simplistic penis with the MS Paint spray tool to the desktop, accompanied by the Joel quote: "Who's been drawing DICKS?. The virus makes multiple copies of a picture of John Cena appear and move over the desktop in a wave pattern in reference to Windows 8 Destruction by Vinesauce Joel.

The virus can make the screen color-shifts slightly about once per second. The virus then plays random sounds: "succ" and "kup teraz" both courtesy of Joel, from Windows XP Destruction, as well as the 8-bit Crazy Bus-style sounds from the original MEMZ. The virus can play instructional audio from the download website Softonic is played. After a while, the final payload occurs, where is terminated, the screen goes black, and then after a few message boxes, a BonziBUDDY copy is run with a button to end the process. Ending the process will crash the computer. The MBR payload is replaced with a modified version of the title screen of the bootleg Mario game "7 GRAND DAD" which Joel once played, with the Mario lookalike replaced by Felix the Cat ripping his face open, which is taken from an unlicensed Felix the Cat game for the Sega Genesis that Joel played on a different stream. The text "PUSH START BUTTON!" is replaced with "Thanks Joel for your awesome Streams!".


The destructive version of MEMZ overwrites the first 64 KB of the boot drive. This affects the MBR and the partition table. By using bootable recovery media, such as a Windows installation disc or Linux-based live media, it is possible to recover from this.



<references />