Win32.Sality.PB

SYMPTOMS:

Increased processor and network activity without apparent reason.

TECHNICAL DESCRIPTION:

When launched it performs the folowing actions:
    Ensure that it will be active on each system startup by altering the registry key
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\Shell = Explorer.exe by adding it's own path.
    Open an UDP server on a random port and send datagrams of various sizes and contents to random IP addresses and ports .
    Include itself into the Windows Firewall's registry key which defines the list of allowed applications:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Authorized\Applications\List]\%infected_file_path%
    Try to protect itself from user detection and removal by disabling the TaskManger and RegistryEditor programs:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]\DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]\DisableRegistryTools = 1
    Disable some well known security related services, altering their start mode in the registry by setting the key:
[HKLM\SYSTEM\CurrentControlSet\Services\%service_name%]\Start to value 0x4 (disabled):
    (ALG, VSSERV, bdss, NOD32krn, McShield, LIVESERV etc.)
    Drops and launches a keylogger: %system%\28463\svchost.exe detected as Trojan.Kelog.Ardamax.NAL.
    Tries to connect to the following URLs: (unavailable at the time of this description):
                http://89.149.227.194
                http://SOSiTE_AVERI_SOSiTEEE.haha
                http://kjwre77638dfqwieuoi.info
                http://kukutrustnet777.info
                http://pacwebco.com
                http://pacwebco.com
                http://www.freewebtown.com
                http://www.kjwre9fqwieluoi.info
    

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Ovidiu Visoiu, virus researcher