1. Symantec/
  2. Security Response/
  3. W32.Sandalu

W32.Sandalu

Discovered:
September 4, 2004
Updated:
February 13, 2007 12:27:08 PM
Type:
Virus
Systems Affected:
Windows

W32.Sandalu is a virus that attempts to infect .exe files.




To manually fix the exefile\shell\open\command key

  1. Do one of the following, depending on the version of Windows you are running:
    • Windows 95/98 users:
      1. Click Start.
      2. Point to Programs.
      3. Click the MS-DOS Prompt. (A DOS window opens at the C:\Windows prompt.) Proceed with step B of this section.

    • Windows Me users:
      1. Click Start.
      2. Point to Programs.
      3. Point to Accessories.
      4. Click the MS-DOS Prompt. (A DOS window opens at the C:\Windows prompt.) Proceed with step B of this section.

    • Windows NT/2000 users:
      1. Click Start > Run.
      2. Type command, and then press Enter. (A DOS window opens.)
      3. Type cd \winnt, and then press Enter.
      4. Proceed with step B of this section.

    • Windows XP users:
      1. Click Start > Run.
      2. Type command, and then press Enter. (A DOS window opens.)
      3. Type the following:

        cd\
        cd \win
        dows

        Press Enter after typing each one.

      4. Proceed with step B of this section.

  2. Type copy regedit.exe regedit.com

    and then press Enter.

  3. Type start regedit.com

    and then press Enter. (The Registry Editor opens in front of the DOS window.)

    After you finish editing the registry, exit the Registry Editor, and then exit the DOS window as well.

  4. Before continuing, Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. For instructions, read the document, "How to make a backup of the Windows registry."

  5. Navigate to and select the key:

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    NOTE: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure that you completely browse through this path until you reach the \command subkey.

    Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, shown in the following figure:


    <<=== NOTE: Modify this key.

  6. In the right pane, double-click the (Default) value.
  7. Delete the current value data, and then type:

    "%1" %*

    That is, type the characters: quote-percent-one-quote-space-percent-asterisk.

    NOTES
    • Under Windows 95/98/Me/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

      ""%1" %*"  
    • Under Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

      "%1" %*
    • Make sure that you completely delete all the value data in the command key before typing the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this occurs, restart the entire process from the beginning of this document and make sure that you completely remove the current value data.

  8. Exit the Registry Editor.


Antivirus Protection Dates

  • Initial Rapid Release version September 5, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version September 5, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date September 8, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Heather Shannon

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube