(Virus:Win32/Sality.AH W32.Blastclan W32/Kashu.A)
The presence of the files and registry entries mentioned below;
Computer slow downs;
Please let BitDefender disinfect your files.
George Cabau, virus researcher
This malware has a folder-like icon, in order to trick the user to double-cluck it.
After run the malware performs the followings actions:
-creates a mutex named "_kkiuynbvnbrev406" in order to avoid running duplicate instances.
- drop in “%WINDIR%\System32” directory a dll file named “wd273296.dll”,and a packed copy of this dll under the name “wd273296.dl_”.
- Creates a copy of itself under the name “SCVVHOST.exe” in “%WINDIR%\System32” and “%WINDIR%” directories.
- Creates a copy of itself under the name “blastclnnn.exe” in “%WINDIR%\System32”.
- It registers "%WINDIR%\System32\SCVVHOST.exe" at system startup by modifying the default shell to“explorer.exe SCVVHOST.exe”, and also by creating a new entry under “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” named “Yahoo Messengger” pointing to the same executable.
- For protecting itself it disables the registry tools and the Task manager and modifies other security settings.
- Deletes all schedule tasks and creates a new task for running the copy of malware located in “%WINDIR%\System32 blastclnnn.exe”.
- Drops a driver named “[random-name].sys” in “c:\Windows\system32\drivers\” and uses it to disable some antivirus software.
- Attempts to share a copy of itself named “New Folder.exe” on the local network
- It has the functionality required for downloading other malware files from the internet.