W32/Salga.B@mm

Analysis

This virus is MEW packed with a file size of 34,479 bytes. This threat also uses the WinZip application icon to trick users into believing it is an archive file. Users that use the right-click for WinZip shell will quickly identify that the file is not an archive at all.
This virus sends itself by MAPI email to contacts listed in the Windows address book. It also disables system restore and creates a full system share on the compromised system.
The virus makes itself available to P2P application Kazaa users by copying itself multiple times into the shared folder using names which could be considered enticing. The virus uses a double-extension trick in an attempt to trick users into believing the file has only one file extension. The double extension is ".zip.........exe" or ".scr........exe" with variances in the number of periods used, and is referenced below with "undefineddouble extundefined":

learn 3dstoudio in 3 daysundefineddouble extundefined
new sex undefineddouble extundefined
[SWF] - Harry Potter and the philosophers stoneundefineddouble extundefined
[SWF] - Swordfishundefineddouble extundefined
[SWF] - The Fast and the Furiousundefineddouble extundefined
anti hackersundefineddouble extundefined
antibiotics side effectsundefineddouble extundefined
aol2005 free and newundefineddouble extundefined
best and strong firewall in 2004undefineddouble extundefined
best anti virus in 2004 (new&free)undefineddouble extundefined
best xxl movies in 2004 undefineddouble extundefined
big one in the worldundefineddouble extundefined
Britny spears and Madona sex viedio in 24 min onlyundefineddouble extundefined
Britny Spears sex picsundefineddouble extundefined
bundes legaundefineddouble extundefined
Cat attacks childundefineddouble extundefined
cocacola new chat progundefineddouble extundefined
Comedy videoundefineddouble extundefined
computer programs in 2020undefineddouble extundefined
Dracola realy appears in japanundefineddouble extundefined
FBI secrets ( how can them catch hekersundefineddouble extundefined
fear FACTOR FLASH MOVEISundefineddouble extundefined
FlashMovieundefineddouble extundefined
Game_Crack_Genie_v0.5undefineddouble extundefined
hard core new filmsundefineddouble extundefined
i robot 2nd part undefineddouble extundefined
Iraq warundefineddouble extundefined
last messengers versionundefineddouble extundefined
learn allvisual basic projectsundefineddouble extundefined
LEARN autocade IN 3 daysundefineddouble extundefined
learn photo shop in 3 days onlyundefineddouble extundefined
lesbien chat freeundefineddouble extundefined
MacroMedia Flash 6.0undefineddouble extundefined
MAGIC_ programsundefineddouble extundefined
mirc_antwormsundefineddouble extundefined
ms gamesundefineddouble extundefined
MsDos_PortScannerundefineddouble extundefined
msn 9.00+its plus free and newundefineddouble extundefined
NEW abu gharib secrets movies and photosundefineddouble extundefined
new cupied photosundefineddouble extundefined
new film_alond shwanzinger 2004undefineddouble extundefined
new girls emails with there phone numberundefineddouble extundefined
news paper(clot)undefineddouble extundefined
norton 2005+its crack (free&new)undefineddouble extundefined
office 2005 free &newundefineddouble extundefined
pebsi with mice hehehehehundefineddouble extundefined
photoshop LAST VER 2005undefineddouble extundefined
sex animal photosundefineddouble extundefined
Shockwave Flashundefineddouble extundefined
Simpsons Episode (#38).undefineddouble extundefined
songs of sexy filmsundefineddouble extundefined
ssPamela_Anderson_(Naked Screen Saver)undefineddouble extundefined
ssParis_Hilton_(Nude Screen Saver)undefineddouble extundefined
striper brests program v 1.7.00undefineddouble extundefined
strong fire wall allover the
world with thelast update of nortonundefineddouble extundefined
SWFundefineddouble extundefined
SWF_Movieundefineddouble extundefined
tourism IN TURKY FREEundefineddouble extundefined
TOY 2010 new film of meundefineddouble extundefined
Tutorial Video on Hackingundefineddouble extundefined
UK DENGEROUS SECRETS secretsundefineddouble extundefined
USA discvered water in mars yesterday.docundefineddouble extundefined
viagra free only gift 4 u in 2004undefineddouble extundefined
Virtual_3D_Pinballundefineddouble extundefined
virus cleaner 2005 (free)undefineddouble extundefined
water in mars exclusionundefineddouble extundefined
Win32System_Tweaks_v1.0undefineddouble extundefined
Wmplayer_Celebrity_Skinsundefineddouble extundefined
wwf_TRIBLE Hundefineddouble extundefined
XXX videoundefineddouble extundefined
yahoo2005 free & newundefineddouble extundefined
yaser arafat death secretsundefineddouble extundefined
This virus will copy itself to all folders with the string "shared" in its name, and all subfolders within those folders. It will use these file names, also with double extension -
Britny spears and Madona sex viedio in 24 min only
Iraq war
last messengers versions
learn photo shop in 3 days only
new cupied photos
new girls emails with there phone numbers
strong fire wall allover the world with thelast update of norton
USA discvered water in mars yesterday.doc
The virus spreads its seeds of joy to other places as well, copying itself to these locations -

C:\Documents and Settings\All Users\Desktop
C:\Documents and Settings\All Users\Start Menu
C:\Documents and Settings\All Users\Start Menu\Programs\
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\
The virus drops itself to the Startup folder for All Users as "salga.b.exe" -

C:\Documents and Settings\All Users\
Start Menu\Programs\Startup\salga.b.exe
The virus cannot keep while on the infected system - it uses the "net send" command to send a message to all users on the network from the infected machine -
net send * hi welcome in our net cafe you can see all web cam in all types of chat with out any request use it from any shared folder <<habby interesting time in our net cafe bi>>
Not all of the message is displayed, only this portion is received -
hi welcome in our net cafe you can see all web cam in all types of chat with out any request use it from any shared folder <<hab
The virus will attempt to send itself to all users listed in the Windows address book.
Loading at Windows startup
The virus will register itself to load from the registry at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"system xp" = C:\WINNT\acdsee demo.exe
"windows" = C:\WINNT\system\system copy.exe
Kazaa P2P Manipulation
The virus will alter how Kazaa functions by adjusting the registry -
HKEY_CURRENT_USER\Software\Kazaa\Transfer
"StartKazaa -SilentRun" = C:\Program Files\Kazaa\My Shared Folder\Shared
Disabling System Restore
The virus will disable system restore by modifying these registry keys -
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
"SystemRestore" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
"DisableConfig" = 01, 00, 00, 00
"DisableSR" = 01, 00, 00, 00
This act of sabotauge prevents the system from setting a restore point of recovery for any time at infection time and after.
Full system share
The virus will create a share on the system called "magic_cam". Users on a network may be able to browse to the compromised system and map a drive to this share, gaining full access to the infected system. This not only puts the infected system at more risk, it allows the virus to be freely distributed to unsuspecting users.
The virus makes a few registry adjustments to allow the full share creation -

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares
"magic_cam" = (hex values)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
"magic_cam" = (hex values)

Recommended Action

Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option