A worm called heap41a

If you are using an USB drive that has already been plugged in to many computers (that are not secure), Think again!

There is a worm by name w32.USBWorm(also called heap41a) that is floating around from system to system through pendrives.It primarily targets your mozilla browser and displays you an error message "I DNT HATE MOZILLA BUT USE IE OR ELSE..." and doesnt let you access Mozilla.In fact, you can't even open the folder in which you have installed Mozilla.

It also disables you from using orkut and youtube.("Orkut is banned you fool!!!", oh.. that's the message displayed by heap41a, I am not scolding you)

I haven't heard of any other serious damages heap41a might cause, but caution is always advised.It might just corrupt your USB drivers making you reinstall your Operating system, or even worse, it MAY corrupt your USB drive and your hard disk and eventually ALL YOUR D-A-T-A!!!

Solution?


First, disconnect all kinds of network connections.

1. Go to command prompt(run->cmd)
2. Type the following commands:
cd\
cd heap41a
3. now fire 'dir' command
4. You will see a list of files and folders. Then fire 'del *' and confirm to delete all the files.
5.Now fire 'rmdir /S offspring' command to delete the folder by name "offspring"
6. Now the dir command shows a file by name "svchost.exe".
7. Rename that file, fire this command : ren svchost.exe ara.
8. Now reboot your PC.
9. go back to command prompt c:/heap41a.
10. fire 'attrib -R ara' command to make the file writable.
11. fire this command : "edit ara"
12. The file opens in the edit mode. Select all the content and delete the content!
13.Now save the file from file menu and exit.
14. Now fire 'cd ..'
15. then fire rmdir /S heap41a!

Congartulations!

You have just deleted the worm.

Now we need to delete the traces of the worm too.

Now go to run-> regedit and that brings you the registry editor.
Navigate to the following key and delete it:
"[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"

(Do a search to find it. I am now lazy to type the LONG path).

Be careful while working with registry.YOU are responsible for any harm that YOU may cause.Don't blame me later!

This worm(heap41a) may also lead to malfunctioning of Hide/Unhide folder functionality of Windows XP.You can refer to this thread to for pointers:
http://forums.cnet.com/5208-6142_102-0.html?forumID=5&threadID=232457&messageID=2396828

(Told ya I was lazy :-) )

That's it!
If you still have problems, mail me at aravindts1 AT rediffmail DOT com, or JUST POST HERE.

Bye,
Aravind