You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Samal.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Samal.A is a worm designed to be activated and carry out the following malicious actions if the system date of the computer belongs to 2009:

  • Before the computer is started, it displays the following message on screen:


    where the text "Ah ah tou didn't say the magic word" can be read.
  • After entering any value three times, it displays another message on screen:


    where the text "Samael has come. This the end" can be read.
  • This last message remains on screen and the computer cannot be started.
  • If the user restarts the computer, the same messages will be displayed and the computer will not work.

 

If the system date is different from 2009, Samal.A will not display messages on screen. However, the computer will be continuously restarted.

Infection strategy 

Samal.A creates the following files:

  • SMMS.EXE, in the Windows directory.
  • CSRSS.EXE and DISKINI.XP, in the folder inf of the Windows directory.
    These three files are copies of the worm.
  • SMMS.BAT, in the Windows directory.
  • [TRAFFIK]CRACK FOR WINDOWS.SIK, in the folder  emule\incoming of the Program Files directory. This file contains the following text:
    Samael 3.0 
    %system time% 
    %system date%
    EN
    This file is created as an infection mark in order to know which computers are infected with this worm.

Additionally, it creates an AUTORUN.INF file in all the system drives, so that the copies of the worm are automatically run whenever any of them is accessed.

 

On the other hand, Samal.A modifies the NTLDR  file of the root directory of the C: drive. This way, it can display the messages mentioned previously when the computer is started.

 

Samal.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Proyecto1 = %windir%\smms.exe
    where %windir% is the Windows directory.
    By creating this entry, Samal.A ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700 -EF1F-11D0-9888-006097DEACF9}\Count
    HRZR_EHACNGU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700 -EF1F-11D0-9888-006097DEACF9}\Count
    HRZR_EHACNGU:CRGbbyf.yax
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700 -EF1F-11D0-9888-006097DEACF9}\Count
    HRZR_EHACNGU:P:\Cebtenz Svyrf\VaPgey5\VaPgey5.rkr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700 -EF1F-11D0-9888-006097DEACF9}\Count
    HRZR_EHACNGU:VaPgey5.yax
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700 -EF1F-11D0-9888-006097DEACF9}\Count
    HRZR_HVFPHG

Means of transmission 

Samal.A spreads making copies of itself in all the system drives. The name under which is copied is INFO.EXE, and it also creates an AUTORUN.INF file in all the drives, so that the copy of the worm is run whenever any of them is accessed.

Further Details  

Samal.A is written in the programming language Visual Basic v6.0. This worm is 139,285 bytes in size.