Win32.Sality.M

( Sality )

SYMPTOMS:

Presence of the specified files.
Size of executable files increased with approximately 20 kB.

TECHNICAL DESCRIPTION:

Win32.Sality.M is a polymorphic file infector that affects PE executable files. When an infected executable has been run, it drops the following files:

%system%\vcmgcd32.dll
%system%\vcmgcd32.dl_

It appends the following lines at the end of the %windir%\system.ini:

[MCIDRV_VER]
DEVICE=[RANDOM_STRING]

The dropped dll file is injected in all running processes and start infecting all .exe and .scr files on all drives, except files from the directories that contain the following strings:

AHEAD
SYSTEM

After each drive infection, it tries to infect all .exe files contained in the following registry subkeys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

It creates the following mutexes in order to check the presence of the infecting .dll file in memory:

KUKU300a
KUKU301a
_kuku_joker_v3.09_

It deletes all files with the following extensions:

.vdb
.key
.avc
.tjc

and all files that start with the following strings:

ANTI
SCAN
ZONE
ANDA
TROJ
TREN
ALER
CLEAN
OUTP
GUAR
BIDEF

It also kills all processes that start with the following strings:

DRWEB
OUTPOST
ZONEALARM
NOD32
ANTI
NMAIN
MCUPDATE
MGUI
NPROTECT
NUPGRADE
RTVSCAN
SAVSCAN
AUTOTRACE
AVSYNMGR
ATGUARD
AVGSERV
AVPROTECT
BIDEF
BIDSERVER
BIPCP
BLACKICE
CLEANER
DRWATSON
DRWTSN32
LOCKDOWN
MCAGENT
NPFMESSENGER
PERISCOPE
PINGSCAN
PORTDETECTIVE
PROTECTX
TRJSCAN
VSMAIN
AVLTMAIN
ESCANH
ICSSUPPNT
ICSUPP
AVXQUAR

%system% refers to the System32 directory (default is: C:\Windows\System32)
%windir% refers to the Windows directory (default is: C:\Windows)

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dan Anton, virus researcher