My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sality.OG

LOW
MEDIUM
~75kB
(Win32/Sality.AH(Panda, McAFee), Win32/Sality.Y (Avira), Virus.Win32.Sality.aa (Kaspersky), Win32/Sality.NAR (NOD32))

Symptoms

Unexpected system activity as the virus will search for executable files and will append its code previously processed.
Enlargement of executable files size  with ~75kbytes.
Presence in network shares or removable disk drives root directory of a file Autorun.inf which contains random strings and shell commands lines pointing to a file in same folder also oddly named.
Blue screen when trying to enter in SafeMode

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

         The virus is a polymorphic file infector which modifies executable files (.exe and .scr) appending its  encripted body at the end of files in a newly created section. To reach the execution of this the original code from entry point its also repleaced with polymorphics sequences wich held in the decryption routine.The icon of infected file is not changed.When is launched folowing actions will take place.
          Modifies memory of Explorer.exe process hooking some APIs used on files system accessing.
          To hide itself a rootkit is dropped: %System%\drivers\[random_name].sys. The file is detected by Bitdefender as Win32.Sality.OH. A registry key pointing to the driver is added:
[HKLM\System\CurrentControlServices\asc3360pr]
[...]ImagePath=[path_to_dropped_rootkit]
DisplayName = asc3360pr [...]
          To overwrite Show Hidden and System Files folder option from Explorer modifies the Hidden field of
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] to value 2
Modifies folowing security specific registry keys:
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%malware_path%"="%malware_path%":*:Enabled:ipsec".
  
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
Global UserOffline = 0;
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
EnableLUA = 0;
           Disables entering in safe mode at system boot by deleting registry  key [HKLM\SYSTEM\CurrentControlSet\Control\Safeboot] a blue screen
Also to hide itself from being detected, tryes to find and stop process and services kown as a part of antiviruses or monitoring programs so will try to find them using a list of words that programs can contain. (e.g. "BDMCON.", "BDSS.", "FILEMON", "Firewall").
      
     In %WinDir%\system.ini file appends folowing:
  
[MCIDRV_VER]
   DEVICEMB=[RANDOM_NUMBER]
           Virus is spreading via Network Shares  and Removable Disk Drivers. In root folder of thoes creates  Autorun.inf containing command lines executed when the drive is accessed and Disable Autorun option is not seted.The command lines tries to launch an infected executable file (.exe , .pif) from same folder; name of this is composed from random chars.
           Tries to download additional malware files from folowing addresses:
http://kukutrustenet777.info
http://pzrk.ru        
http://www.kjwre9fqwieluoi.info
http://kjwre77638dfqwieuoi.info ...
          
Also try to connect to random addresses on random ports and open an UDP server on random port