Aliases: W32/Sandalu, Win32.Sandalu, Virus.Win32/Sandalu
Variants: Win32/Sandalu, Virus.Win32.Sandalu

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 04 Sep 2004
Damage: Low

Characteristics: W32/Sandalu is a virus that attempts to infect executable files.This virus affects Windows Operating System platforms such as Windows 2000, Windows 98, Windows 95, Windows NT, Windows Me, and Windows XP

More details about W32.Sandalu

The W32/Sandalu program may be able to enter systems protected by weak passwords. It contains lists of commonly used names and passwords. A brute force attack may even be used to guess the log-in from random characters. System vulnerabilities can also be used to enter the computer. When a file infected with W32/Sandalu is executed, the virus extracts the host file as .sys and launches it so that the program appears to run normally. It sets the value "(Default)" in the registry key so that Windows launches the viral file every time that an .exe file is opened. Because Windows 2000/XP does not recognize msnxv32.exe as a valid application, Windows will display an error message every time a program is started on these Operating System platforms.

The W32/Sandalu program may be obtained from peer-to-peer (P2P) file sharing programs. The user is likely to acquire the program on some popular download sites. The installation script of the application are encrypted on these enticing downloads. Execution of these downloaded programs will enable the malware application to infiltrate the computer. The application may be distributed through other means such as e-mails, websites with drive-by download scripts and freeware and shareware applications.