You will be infected if you insert an infected removable disk on your computer and let it Autoplay, if you double-click the Drive Icon, or double click a folder that you created earlier!
So what should you do? So what happened?
If you had inserted your removable drive on some computer infected with the AHKHeap virus, when you create a directory on the removable drive, say "test", the virus converts the folder into a system, hidden folder. Then, it creates an application with the same name - test.exe. The trick is that the test.exe application that is created has an icon that exactly resembles a folder!
In the above screenshot, you see a folder named MicrosoftPowerPoint. But actually, its a virus and not a folder! See the Properties page for it below:
Its an EXEcutable file! (Type of file: Application). How come it looks like a folder? Simple. It has its icon set to look exactly like a folder!
When you plug the removable drive to another PC and try to open the folder by double clicking it, the virus exe file runs and infects that computer too. You don't get to see the real folder because it has attributes set a system, hidden.
It even sets the Autoplay.ini file to start the viral executable. So if your Windows stupidly runs the executable as soon as you plug in the removable drive, you are infected. See the Autorun.ini contents:
[Autorun]
open=MicrosoftPowerPoint.exe
shellexecute=MicrosoftPowerPoint.exe
shell\Auto\command=MicrosoftPowerPoint.exe
Another interesting thing is that the virus disables "Show hidden files and folders" option. Go to Explorer, click Tools Menu > Folder Options > View Tab. "Do not show hidden files and folders" option will be checked. Try changing it to "Show hidden files and folders". If your computer was infected, you will not be able to save the changes! You have to re-set the option from the registry. Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and set CheckedValue to 1. Now, you can change the setting to show all files and folders.
What can you do to prevent this virus? DO NOT AUTOPLAY removable disks! If you shared your removable disk among computers and if you think there is any chance that those computers infected, do not open folders that are on the removable drives by double clicking them - use the [+] sign on the explorer's folders pane. Better still, use the command prompt if you know how to.
Do not trust drives that belongs to others.
What is the payload of this virus? It stops you from accessing orkut and youtube and displays its signature dialog box that says orkut is banned and reportedly produces strange sounds :) !
The virus does this: it creates a directory c:\heap41a and sets up a key in the registry so that it auto-starts (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run). Then, it infects each and every removable disk you insert into the computer.
How to remove the virus from your computer?
First, you have to kill the viral processes running as svchost under your user name. To do this, press Ctrl+Alt+Del and open Task Manager. There will be svchost processes running under SYSTEM, LOCAL SERVICE or NETWORK SERVICE. Leave them alone. If you find any svchost process under some other username, right click it and select 'End Process Tree'.
Then remove the start-up hooks from the registry. I found them in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run. Its better if you search for "heap41a" in the registry. Remove any viral entries you find.
Then, you have to remove the virus from your hard disk. Use Command Prompt. c:
cd \
dir /a
If you find heap41a directory, you have to delete them. First, you have to un-protect them.
attrib -s -h heap41a
cd heap41a
attrib -s -h *.* /s /d
del *.* /s
You should now be able to delete the heap41a directory. If you are unable to, there are more protected files in it - Remove them using attrib -s -h filename and del filename.
Then, reset the Show Hidden Files Option as said earlier. (Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and set CheckedValue to 1).
Now, you have to clean your Removable Drives. Make sure you don't re-infect your system when you do this. When you insert the disk, make sure Windows does not autoplay any executable. You must not trigger Auto-play on the drive by right-clicking the drive icon. You must not also double-click applications that look like folders.
The best way to clean the removable drive is to Quick-format it. If you need to try to recover some data from it, try this:
Go to the command prompt. Do a dir /a and see if there are any suspicious executables or hidden folders. Delete them all. Repeat them for any sub-directories. Delete autoplay.ini.
My AVG with latest updates (Sep 17 2007) was unable to recognise all of the executable - though it did catch many. For example, it did not recognise the c:\heap41a\svchost.exe! Makes me wonder how much you can trust them!
