Backdoor.Salgorea

Backdoor.Salgorea Description

Backdoor.Salgorea is a backdoor Trojan that opens a back door on the corrupted PC. Backdoor.Salgorea may propagate through spam emails carrying a harmful .hta file. When run, Backdoor.Salgorea replicates itself as the malevolent files on the infected computer system. Backdoor.Salgorea creates a partially modified copy of itself to the temporary folder and runs this copy with parameter '--help'. Backdoor.Salgorea also creates the clean file and executes it. Backdoor.Salgorea then creates the schedule task files in order to run the file 'sidebar.exe' daily. Backdoor.Salgorea creates the registry entry so that it can load automatically whenever you boot up Windows. Backdoor.Salgorea also creates other registry entries.

Technical Information

File System Details

Backdoor.Salgorea creates the following file(s):
# File Name Size MD5
1 %Temp%\KeePass.exe
2 %Temp%\[RANDOM FILE NAME].exe
3 %UserProfile%\Application Data\Microsoft\Windows Sidebar\sidebar.exe
4 %Windir%\Tasks\Sidebar_[CURRENT USER].job
5 %Windir%\Tasks\Sidebar.job
6 %UserProfile%\Application Data\Microsoft\Windows\AeroGlass.theme
7 file.exe 249,344 d33a9365a7e71f728b993a4a3ae58335
More files

Registry Details

Backdoor.Salgorea creates the following registry entry or registry entries:
RegistryKey
HKEY_CURRENT_USER\Software\Microsoft\Keyboard\"es-ec" = "[ENCODED DATA]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBar\OemCustomTheme\"(Default)" = "%UserProfile%\Application Data\Microsoft\Windows\AeroGlass.theme"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Keyboard\"es-ec" = "[ENCODED DATA]"
HKEY_CURRENT_USER\Software\Microsoft\SideShow\Gadgets\"Language" = "[TIME OF INFECTION]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Sidebar" = "%Temp%\[RANDOM FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\UC\"SP" = "[TIME OF INFECTION]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SideBar\OemCustomTheme\"(Default)" = "%UserProfile%\Application Data\Microsoft\Windows\AeroGlass.theme"

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.