W32/Salga-A

Aliases	WORM_SALGA.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Peer-to-peer
Affected operating systems	Windows
Protection available since	5 January 2005 01:55:51 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
windows
%SYSTEM%\system copy.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
system xp
%WINDOWS%\acdsee demo.exe

and delete them if they exist.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Salga-A is a peer-to-peer and email worm for the Windows platform.

When first run, the worm copies itself to the following locations:

%SYSTEM%\system copy.exe
%WINDOWS%\acdsee demo.exe
%SYSTEM%\egywormo[gen1].exe
<current folder>\.exe
<Startup folder>\egy~1.exe
/Britny spears marrage with Bnladensun.zip
/Britny/NEW FILM.ZIP.EXE

In order to run each time a user logs on, W32/Salga-A creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
windows
%SYSTEM%\system copy.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
system xp
%WINDOWS%\acdsee demo.exe

Copies of the worm are also placed in folders that contain "shared" in their paths. Worm copies are named:

Britny spears and Madona sex viedio in 24 min only.zip.<several dots>.exe
Iraq war.zip.<several dots>.exe
USA discvered water in mars yesterday.doc.zip.<several dots>.exe
last messengers versions.zip.<several dots>.exe
learn photo shop in 3 days only.zip.<several dots>.exe
new cupied photos.zip.<several dots>.exe
new girls emails with there phone numbers.zip.<several dots>.exe
strong fire wall allover the world with thelast update of norton.zip.
<several dots>.exe

The worm also searches for all files and folder names and may create worm copies using file/folder names it finds and appends the EXE file extension. For example:

C:\My Documents

will cause the worm to create a worm copy named "C:\My Documents.exe"

The worm harvests email addresses from the Windows address book and sends email to each address found. Email sent by W32/Salga-A has the following properties:

Subject lines:

BRITNY SPEARS MARRAGE
Sir new victem
To contact new friends

Message texts:

hi:your machine need for more new updates contact us
<mgasalgya_4ever@hotmail.com>,and you can catch new email in www.hotmail.com
with huge advantages see next and attend

Welcome for you in our world now you contact new friend girls and boys from USA, UK, RUSSIA, JABAN, EGYPT, CANADA, LEBNON, INDONISIA, SWEEDN, GERMANY, FRANCE, SOUTHAFRICA, ARENTINA, SPAIN AND BRAZIL also all off them have camera and mics

If u you want to have anice holyday you must call us at this adress USA
MITCHGEN and we will give greate offer details in this attachment

Hi:miss or mr you can contact new friends all ever the world deatails in attachmment file

This attachmment contain very hard sexy photos with part of sexy films interest and replay us

Hi;this is some photoes of Britney Spears marrage with Bnladen son in flash file so<<<<if the winzip file not run you must change the extension to exe to execute it

Attached file:

Britny spears marrage with Bnladensun.zip

Details of new friends.zip...............exe

<one of the worm copy filenames from above> .EXE or .ZIP

W32/Salga-A also modifies the configuration script for the Mirc IRC client causing the application to spread further copies of the worm through IRC channels.

The worm sends a broadcast popup message to all clients on the local network with the following text:

hi welcome in our net cafe you can see the new film of Britny spears from the computer which shown it is very interesting film or see it from any shared folder <<habby interesting time in our net cafe bi>>

On Windows NT, 2000 and XP based computers the worm attempts to disable System Restore by modifying registry entries under:

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Salga-A

Summary

Action

More Information