My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sality.2.OE

HIGH
MEDIUM
~65 KB
(Trojan.Win32.Pakes.bxp, Win32/Tanatos.L, Win32.Sality.PB, W32.Sality-27)

Symptoms

- executable files will grow in size with about 65 KB.
- the system will not be able to run in Safe Mode.
- slows the system when the virus is searching for executable files to infect.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Tudor Bura, virus researcher

Technical Description:

The virus is a polymorphic file infector which modifies executable files by appending its encrypted body at the end of the files.
To reach its code, the virus replaces the code at the entry point with a polymorphic sequence holding the decription routine.

write to %windir%\system.ini:
[MCIDRV_VER]
DEVICEMB=541021816060

The virus will modify / create the following registry keys:
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> %path_to_virus%\<virus_name>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline -> 0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA -> 0

The virus hides itself from being detected by dropping a rootkit at %windir%\system32\drivers\<random name>.sys

It will try to find and stop processes and services known to be from antivirus programs, based on a name list previously known.

Send user information and other informations to some previously known ip addresses, like:
IP=189.[removed].176
IP=249.[removed].228
IP=201.[removed].171
IP=86.[removed].84
IP=200.[removed].62
IP=89.[removed].154
IP=217.[removed].141
etc.

The virus will access the following websites to download aditional malware:

http://[removed]/images/logoh.gif
http://[removed]/images/logos.gif
http://89.[removed].194/tratata5/
http://[removed]_SOSiTEEE.haha
http://89.[removed].154/testo5/
http://[removed].co.kr/picassa.dat
http://[removed].info/home.gif
http://[removed].info/