(Win32/Sality.AH(Panda, McAFee), Win32/Sality.Y (Avira), Virus.Win32.Sality.aa (Kaspersky), Win32/Sality.NAR (NOD32))
Unexpected system activity as the virus will search for executable files and will append its code previously processed.
Enlargement of executable files size with ~75kbytes.
Presence in network shares or removable disk drives root directory of a file Autorun.inf which contains random strings and shell commands lines pointing to a file in same folder also oddly named.
Blue screen when trying to enter in SafeMode
Please let BitDefender disinfect your files.
Ovidiu Visoiu, virus researcher
The virus is a polymorphic file infector which modifies executable files (.exe and .scr) appending its encripted body at the end of files in a newly created section. To reach the execution of this the original code from entry point its also repleaced with polymorphics sequences wich held in the decryption routine.The icon of infected file is not changed.When is launched folowing actions will take place.
Modifies memory of Explorer.exe process hooking some APIs used on files system accessing.
To hide itself a rootkit is dropped: %System%\drivers\[random_name].sys. The file is detected by Bitdefender as Win32.Sality.OH. A registry key pointing to the driver is added:
DisplayName = asc3360pr [...]
To overwrite Show Hidden and System Files folder option from Explorer modifies the Hidden field of
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] to value 2
Modifies folowing security specific registry keys:
Global UserOffline = 0;
EnableLUA = 0;
Disables entering in safe mode at system boot by deleting registry key [HKLM\SYSTEM\CurrentControlSet\Control\Safeboot] a blue screen
Also to hide itself from being detected, tryes to find and stop process and services kown as a part of antiviruses or monitoring programs so will try to find them using a list of words that programs can contain. (e.g. "BDMCON.", "BDSS.", "FILEMON", "Firewall").
In %WinDir%\system.ini file appends folowing:
Virus is spreading via Network Shares and Removable Disk Drivers. In root folder of thoes creates Autorun.inf containing command lines executed when the drive is accessed and Disable Autorun option is not seted.The command lines tries to launch an infected executable file (.exe , .pif) from same folder; name of this is composed from random chars.
Tries to download additional malware files from folowing addresses:
Also try to connect to random addresses on random ports and open an UDP server on random port