Yesterday I happened to visit my friends place and found out that he had downloaded a very new movie. I asked my friend to give me the movie. I took his memory key or the thumb drive and then copied the movie on to it and went back home.

When I reached home, I put it in my PC and went into My Computer. When I double clicked the memory key/thumb drive icon, nothing happened and it did not open. Just at that moment, I had a hunch that I had activated a virus or worm from the memory key. Obviously at that particular moment, I was un-ware of the the problem. I scanned the thumb drive from Mcafee Antivirus but it was unable to detect any threat on the thumb drive.

At that moment, I just went ahead and watched the movie. By the way, it was really a good movie, loved it.

After few minutes, I thought of going online to check email and my orkut account. I usually use Mozilla browser as the primary browser on my PC.

The moment I double clicked Mozilla… a message popped open…

I DONT HATE MOZILLA BUT USE IE OR ELSE… with the title of the dialogue box as USE INTERNET EXPLORER U DOPE.

It was confirmed, I had a virus/worm on my PC. I opened task manager to look for any suspicious program entry but I was not able to find anything. At that moment, I though that I will look after the virus later.

Then I opened Internet Explorer (I rarely use IE), typed in www.orkut.com hit Enter… and here I was with another message and a funny sound too (Nice sound to scare Kids).

The Message was:

Orkut is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!! with the title of the dialogue box as ORKUT IS BANNED.

I was pretty pissed at that moment and gave verbal abuses and curses to the person who had written the virus/worm.

The next thing which I did next day while in Office , was to open www.google.com and search for the message. I got a result which pointed to google groups forums related to Mozilla. A discussion was already on there.

Here is the solution and explanation for it.

Virus Profile: W32/AHKHeap

Origin: N/A

Length: MicrosoftPowerPoint.exe (462,050 bytes), svchost.exe (239,104 bytes)

Type: Virus

SubType: Worm

Virus Characteristics

This is a detection for worm written using AutoHotKey scripts and spreads via removable drives.

Upon execution the worm drops the following files:

• %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3 (56,467 bytes) –> Media file
• %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt (72 bytes) –> List of drives it tries to replicate
• %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico (318 bytes) –> Icon file
• %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt (8,743 bytes) –> AutoHotKey Script
• %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt (varies) –> List of drives worm is copied to
• %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe (239,104 bytes) –> Copy of worm
• c:\heap41a\2.mp3 (56,467 bytes) –> Media file played when alert box is displayed
• c:\heap41a\drivelist.txt (72 bytes) –> List of drives to scan for
• c:\heap41a\Icon.ico (318 bytes) –> Icon file
• c:\heap41a\reproduce.txt (834 bytes) –>AutoHotKey Script for registry manipulation
• c:\heap41a\script1.txt (3,588 bytes) –> AutoHotKey Script for Messagebox creation
• c:\heap41a\std.txt (439 bytes) –> AutoHotKey Script for registry manipulation / run other scripts
• c:\heap41a\svchost.exe (239,104 bytes) –> Copy of worm
• c:\heap41a\offspring\autorun.inf (21 bytes) –> used to autorun the worm when the drive is accessed

Creates the following registry keys to hook at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  “winlogon”= “C:\heap41a\svchost.exe C:\heap41a\std.txt”

Disables the show hidden file options in folder options using the following registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• Folder\Hidden\SHOWALL”CheckedValue” = “00000000″

The worm also prevents the user from accessing certain websites like orkut.com and youtube.com and gives an error message as explained by me earlier.

Method of Infection

The worm spreads via removable drives. Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.

Removal Instructions

1. Go to your task manager by pressing ctrl + alt + del .In that go to processes tab .

2. In that look for svchost.exe . You might find more than one of them . In that look for those who have user name as your login name of computer and end those processes .

3. Now open My Computer In the address bar, type C:\heap41a and hit enter. It is a hidden folder, and is not visible by default. Delete all the files in this folder .

4. Now go to Start –> Run and type Regedit , Go to the menu Edit –> FindType “heap41a” here and press enter. You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”Select that and Press DEL. It will ask “Are you sure you want to delete this value”, click Yes. Now close the registry editor and you are done .

The virus is removed from the PC now, but ensure to delete the autorun.inf file from the thumb drive.

Now McAfee, Symantec and Avast have updated the virus definition files for this worm. It should be detected and removed from the PC, if you have an anti virus software installed.

You will think now that the problem is solved……..but not yet. You will not be able to see the hidden files. Even if you change the setting in the folder options, it will not show the hidden files. So here are the steps to remove that problem and make the hidden files appear and the folder option settings to work as before.

To remove the worm completely from your computer, you need to remove Registry keys written by the worm

• Press “Window key” + “r” or go to Start–>Run, then type “regedit” (without quotes).
• You need to navigate to
• “HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL, checkedvalue”
• And reset the “CheckedValue” key back to 1. This is to show all the hidden files.

If the virus/worm is still on the PC, then the problem will keep on re-occurring. So don’t forget to install a good anti-virus program with updated virus definitions.

Happy Surfing and Virus Squashing.

Rahul.