Win32/Sadorom.2668 [Threat Name] go to Threat

Win32/Sadorom.2668 [Threat Variant Name]

Category virus
Size 2668 B
Aliases Virus.Win32.Henky.5668 (Kaspersky)
  Worm:Win32/Sador.2764 (Microsoft)
Short description

Win32/Sadorom.2668 is a file infector.

Installation

The virus creates copies of the following files (source, destination):

  • C:\­WINDOWS\­SYSTEM\­KERNEL32.DLL, C:\­WINDOWS\­SYSTEM\­SADO.ROM

It infects the following files:

  • C:\­WINDOWS\­SYSTEM\­SADO.ROM

The virus modifies the following file:

  • C:\­WINDOWS\­WININIT.INI

The virus writes the following entries to the file:

  • [Rename]
  • NUL=C:\­WINDOWS\­SYSTEM\­KERNEL32.DLL
  • C:\­WINDOWS\­SYSTEM\­KERNEL32.DLL=C:\­WINDOWS\­SYSTEM\­SADO.ROM

The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager]
    • "PendingFileRenameOperations" = "C:\­WINDOWS\­SYSTEM\­KERNEL32.DLL","C:\­WINDOWS\­SYSTEM\­SADO.ROM"

The virus hooks the following Windows APIs:

  • CreateFileA (Kernel32.dll)
File infection

The virus infects executable files.


The virus infects files with the following extensions:

  • .EXE
  • .exe

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.

Other information

The virus contains the following text:

  • SI LA COSA ESTA MAL... VOY A SADOROM
  • DediCado A LakAsiTA, pEEwee, lAdepi, tOroNaga, arbeni, sADORom, trENaDO, YECXo, ZaRpAx, TmARtIN, tMULET, ulTRAShOCk, MarQuEze, seXpAin... seXsOtrON Y LA tIA EnRiKetA
  • SALUDOZ A SANDSTORM, FEDERRICO, JONH_O_ANN, JOSE RUIBAL Y GURU JOSH... AH... Y A LAMERGIN TAMBIEN :)
  • \­SADO.ROM
  • W32/SADOROM2668 by HenKy

Please enable Javascript to ensure correct displaying of this content and refresh this page.