W32/AHKHeap-A is a worm for the Windows platform.
When run, W32/AHKHeap-A creates the following files:
<Temp>\MicrosoftPowerPoint\2.mp3 - can be safely removed
<Temp>\MicrosoftPowerPoint\drivelist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\Icon.ico - can be safely removed
<Temp>\MicrosoftPowerPoint\Install.txt - detected as W32/AHKHeap-A
<Temp>\MicrosoftPowerPoint\pathlist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\svchost.exe - can be safely removed
C:\heap41a\2.mp3 - can be safely removed
C:\heap41a\drivelist.txt - can be safely removed
C:\heap41a\Icon.ico - can be safely removed
C:\heap41a\reproduce.txt - detected as W32/AHKHeap-A
C:\heap41a\script1.txt - detected as W32/AHKHeap-A
C:\heap41a\std.txt - detected as W32/AHKHeap-A
C:\heap41a\svchost.exe - can be safely removed
C:\heap41a\offspring\autorun.inf - detected as W32/AHKHeap-A
W32/AHKHeap-A attempts to periodically copy itself to removeable drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive as MicrosoftPowerPoint.exe.
The file Autorun.inf is designed to start the worm once the removeable drive is connected to a uninfected computer.
The following registry entries are set to run W32/AHKHeap-A on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
status
present
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
winlogon
C:\heap41a\svchost.exe C:\heap41a\std.txt
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0