Home / malware P2P-Worm:W32/Bacteraloh.H
First posted on 26 February 2009.
Source: SecurityHomeAliases :
There are no other names known for P2P-Worm:W32/Bacteraloh.H.
Explanation :
The detection P2P-Worm.Win32.Bacteraloh.H refers to files that have been infected by Virus.Win32.Sality.S.
right]While active, Sality.S terminates running processes with names associated with common antivirus programs.
Infection
Sality.S is an appending, polymorphic file infector that uses an entry point obscuring technique. During infection, it replaces 129 bytes from the beginning of the host file's code with its decryption routine, then hides the replaced code in its own code. The virus's own code is encrypted and appended to the host file as a new section, with a random name and a size of 28672 bytes.
A detailed description of Sality's method of operation is available in the description of Virus.Win32.Sality.Q.
Installation
During installation, Sality.S creates the following files:
- %windir%system32wmdrtc32.dl_ - Archived copy of wmdrtc32.dll
- %windir%system32wmdrtc32.dll - Detected as Virus.Win32.Sality.S
- %windir%system32driversekkkjn.sys - Detected as Virus.Win32.Sality.S
It modifies the file %windir%system.ini by adding the following:
- [MCIDRV_VER]
DEVICE=
In addition, the following is loaded into all processes
- %windir%system32wmdrtc32.dll
Registry
Sality.S deletes a large number of registry keys, a small sample of which is listed in this description.Last update 26 February 2009
