Backdoor.Salgorea Description
Backdoor.Salgorea is a backdoor Trojan that opens a back door on the corrupted PC. Backdoor.Salgorea may propagate through spam emails carrying a harmful .hta file. When run, Backdoor.Salgorea replicates itself as the malevolent files on the infected computer system. Backdoor.Salgorea creates a partially modified copy of itself to the temporary folder and runs this copy with parameter '--help'. Backdoor.Salgorea also creates the clean file and executes it. Backdoor.Salgorea then creates the schedule task files in order to run the file 'sidebar.exe' daily. Backdoor.Salgorea creates the registry entry so that it can load automatically whenever you boot up Windows. Backdoor.Salgorea also creates other registry entries.
Technical Information
File System Details
Backdoor.Salgorea creates the following file(s):
# | File Name | Size | MD5 |
---|---|---|---|
1 | %Temp%\KeePass.exe | ||
2 | %Temp%\[RANDOM FILE NAME].exe | ||
3 | %UserProfile%\Application Data\Microsoft\Windows Sidebar\sidebar.exe | ||
4 | %Windir%\Tasks\Sidebar_[CURRENT USER].job | ||
5 | %Windir%\Tasks\Sidebar.job | ||
6 | %UserProfile%\Application Data\Microsoft\Windows\AeroGlass.theme | ||
7 | file.exe | 249,344 | d33a9365a7e71f728b993a4a3ae58335 |
Registry Details
Backdoor.Salgorea creates the following registry entry or registry entries:
RegistryKey
HKEY_CURRENT_USER\Software\Microsoft\Keyboard\"es-ec" = "[ENCODED DATA]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBar\OemCustomTheme\"(Default)" = "%UserProfile%\Application Data\Microsoft\Windows\AeroGlass.theme"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Keyboard\"es-ec" = "[ENCODED DATA]"
HKEY_CURRENT_USER\Software\Microsoft\SideShow\Gadgets\"Language" = "[TIME OF INFECTION]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Sidebar" = "%Temp%\[RANDOM FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\UC\"SP" = "[TIME OF INFECTION]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SideBar\OemCustomTheme\"(Default)" = "%UserProfile%\Application Data\Microsoft\Windows\AeroGlass.theme"
Site Disclaimer
Enigmasoftware.com is not associated, affiliated, sponsored or owned
by the malware creators or distributors mentioned on this article. This article should NOT be
mistaken or confused in being associated in any way with the promotion or endorsement of malware.
Our intent is to provide information that will educate computer users on how to detect, and ultimately
remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on
this article.
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.