Virus Profile: W32/AHKHeap

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/21/2007
Date Added: 5/21/2007
Origin: N/A
Length: MicrosoftPowerPoint.exe (462,050 bytes), svchost.exe (239,104 bytes)
Type: Virus
Subtype: Worm
DAT Required: 5035
Removal Instructions


This is a detection for worm written using AutoHotKey scripts and spreads via removable drives.

Indication of Infection

  •  Presence of above mentioned registry keys and files.
  •  Getting a prompt as shown in the image above while trying to access or

Methods of Infection

The worm spreads via removable drives. Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.


W32/AHKHeap-A (Sophos), worm_ahkheap.a (Trend Micro)

Virus Characteristics

This is a detection for worm written using AutoHotKey scripts and spreads via removable drives.

Upon execution the worm drops the following files:

  • %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3 (56,467 bytes) --> Media file
  • %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt (72 bytes) --> List of drives it tries to replicate
  • %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico (318 bytes) --> Icon file
  • %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt (8,743 bytes) --> AutoHotKey Script
  • %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt (varies) --> List of drives worm is copied to
  • %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe (239,104 bytes) --> Copy of worm
  • c:\heap41a\2.mp3 (56,467 bytes) --> Media file played when alert box is displayed
  • c:\heap41a\drivelist.txt (72 bytes) --> List of drives to scan for
  • c:\heap41a\Icon.ico (318 bytes) --> Icon file
  • c:\heap41a\reproduce.txt (834 bytes) -->AutoHotKey Script for registry manipulation
  • c:\heap41a\script1.txt (3,588 bytes) --> AutoHotKey Script for Messagebox creation
  • c:\heap41a\std.txt (439 bytes) --> AutoHotKey Script for registry manipulation / run other scripts
  • c:\heap41a\svchost.exe (239,104 bytes) --> Copy of worm
  • c:\heap41a\offspring\autorun.inf (21 bytes) --> used to autorun the worm when the drive is accessed

Creates the following registry keys to hook at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    "winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt"

Disables the show hidden file options in folder options using the following registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    "CheckedValue" = "00000000"

The worm also prevents the user from accessing certain websites like and and gives a message box as shown below.


A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.



PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!