Heap41a is a worm/virus which constantly annoys you with messageboxes like

“I DNT HATE MOZILLA BUT USE IE OR ELSE…”

or

“Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!”

or

“USE INTERNET EXPLORER U DOPE”

on trying to opening firefox, accessing youtube or orkut.

I had to go through a particularly annoying half day. Used hijackthis but didn’t show any promising results then opted for rootkitrevealer from sysinternals. A full scan later, I realised I had a problem.

After deleting the folder, looked it up on Google to find a number of interesting hits. Some smart aleck from Bangalore (my guess) wrote up this code and had very shitty reasons for doing it. The following links are helpful, if you go through a particularly annoying day with this heap41a worm.

The following forum post from autohotkey.com was pretty helpful for me save the fact that I had to uncheck the system file checkbox on the properties dialog box <(you could always resort to attrib -r -s -h /s inside the heap41a directory if you are comfortable with dos) before I was allowed to delete the svchost.exe file.

Surprisingly AVG free edition 7.5.516 didn’t find it complying with their warning that AVG free edition only protects against viruses and not against spam, trojans or malware. Guess free does not mean served on a platter 🙁

A list of other links that were helpful…

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142280

http://tec-updates.blogspot.com/2007/07/remove-heap41a-win32usbworm-worm.html

http://groups.google.com/group/mozilla.support.firefox/msg/12ba87e2b0e3b7a4


2 Comments

david santos · December 24, 2007 at 6:31 am

Good posting. Thank you.

I wish you a good end of 2007 and a good year of 2008.

david santos · December 24, 2007 at 12:46 am

Good posting. Thank you.I wish you a good end of 2007 and a good year of 2008.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *