Virus.Win32.Sality.aa

From Total Malware Info

Jump to: navigation, search
The description for Virus.Win32.Sality.aa was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.
Virus.Win32.Sality.aa

Last edited:

28.7.2010

This malicious program infects files on your computer. It is a Windows application (PE-EXE file). Its size is 171,519 bytes. It is packed with an unknown packer. Its unpacked size is about 190 KB. It is written in C++.

Contents

Payload

The trojan creates a unique identifier with the following names to control uniqueness of its process: "Op1mutx9", "Ap1mutx7". Then the malicious program creates a copy of its original process in a separate thread. It disables the display of hidden files by adding the following system registry key parameter: 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002

Also it sets options for a browser, which installed by default in a system, to always run at "on-line" mode, while adding to the registry the following information: 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline"=dword:00000000

It disables UAC (User Account Control) by setting the "EnableLUA" registry key to "0": 

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]

It adds itself to a list of authorized for network access applications in the Windows firewall, by saving the following parameter in the registry key: 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 
<path_to_the_worm's_orignal_file>"="<path_to_the_virus'_original_file>:*:Enabled:ipsec"

Next, it creates the registry keys, which retain its service information: 

[HKCU\Software\<user_name>914\903692176]
"1953719636"=dword:00000001
"-387528024"=Dword:00000000
"1566191612"=dword:00000000
"-775056048"=Dword:0000001e
"1178663588"=dword:0000008f
"-1162584072"="0400687474703A2F2F38392E3131392E36372E3135342F746573746F352F00687474703A2
F2F6B756B7574727573746E65743737372E696E666F2F686F6D652E67696600687474703A2F2F6B756B75747
27573746E65743838382E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743
938372E696E666F2F686F6D652E67696600"
"791135564"="7439D18CF99ADB97C70A1EA4EA1DDEB3A46AF9AF9995ACD22104A39789171EB3633818AD029
260106FF7F47FE0DE6244028206B85FFFAD226E9742031F5914A424C8AAD11CCC09A683D5C288F7B6E1F4764
8BB6509895D8CEFEAA4FC96A6440B61FA7545CEB6A4B60F5D6273763CD021B75224603D4E837AD74FFC1C93A050D600"
[HKCU\Software\<user_name>914]
"T<rnd>_<rnd>"="<rnd>"

here rnd - random numbers.

Then it finds a file called: 

%WinDir%\system.ini

and appends to it the following entry: 

[MCIDRV_VER]
DEVICEMB=1812931242030

Then the malicious program extracts a filefrom its body, the file is saved with a random name in the Windows system directory: 

%System%\drivers\<rnd>.sys

here rnd - random lowercase Latin letters, for example, "mgpgjg". This file is 5,509 bytes and it is detected by Kaspersky Antivirus as Virus.Win32.Sality.aa. The malicisous program launches the extracted driver as a service called "asc3360pr". Then, the malicious program cyclically performs the following actions in separate threads:

  • It disables OS safe mode, by deleting the "AlternateShell" parameter in the registry key: 
    [HKLM\System\CurrentControlSet\Control\SafeBoot]
    and also it removes the keys with all subkeys: 
    [HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
  • It deletes files with "exe" and "rar" extensions in the temporary files directory of a current user: 
    %Temp%\
  • It attempts to download files using the links: 
    http://89.119.67.154/testo5/?=
http://kukutrustnet777.info/home.gif?=
http://kukutrustnet888.info/home.gif?=
http://kukutrustnet987.info/home.gif?=
http://www.kjwre9fqwieluoi.info/?=
    here rnd is a random alphanumeric sequence; rnd1 is a random digital sequence. In the case of a successful download, these files are saved under the names: 
    %Temp%\win.exe
    here rnd is random 4 letters. Then, each file is executed.
  • It stops and deletes the service called: 
    AgnitumClientSecurityService
ALG
aswUpdSv
avast!Antivirus
avast!MailScanner
avast!WebScanner
BackWebPlug-in-4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
EsetService
F-ProtAntivirusUpdateMonitor
fsbwsys
FSDFWD
F-SecureGatekeeperHandlerStarter
fshttps
FSMA
InoRPC
InoRT
InoTask
ISSVC
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
OutpostFirewallmainmodule
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPortFirewallservice
PSIMSVC
RapApp
SmcService
SNDSrvc
SPBBCSvc
SymantecCoreLC
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
AVP
  • It terminates processes which contain the following substrings in its name: 
    _AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALMON.
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
AVZ.
ANTIVIR
ANTS.
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AUPDATE.
AUTODOWN.
AUTOTRACE.
AUTOUPDATE.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
AVGUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVAST
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BACKWEB-4476822.
BDMCON.
BDNEWS.
BDOESRV.
BDSS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CLAW95CF.
CLEANER.
CLEANER3.
CLISVC.
CMGRDIAN.
CUREIT
DEFWATCH.
DOORS.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FAST.
FCH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
F-PROT95.
FRESHCLAM.
EKRN.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
EGUI.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
KWATCH.
LOCKDOWN2000.
LOGWATNT.
LUALL.
LUCOMSERVER.
LUUPDATE.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NOD32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTXCONFIG.
NUPGRADE.
NVC95.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST.
PAV.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHM32.
QHONLINE.
QHONSVC.
QHPF.
QHWSCSVC.
RAVMON.
RAVTIMER.
REALMON.
REALMON95.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCAN32.
SCANNINGPROCESS.
CUREIT.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
AVAST
TDS-3.
TEATIMER.
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VIRUSKEEPER.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRADMIN.
WRCTRL.
XCOMMSVR.
ZATUTOR.
ZAUINST.
ZLCLIENT.
ZONEALARM.
  • It searches for windows with the text "dr.web", "cureit" and terminates the processes which have created these windows.
  • It searches and deletes files with the extensions: "VDB", "KEY", "AVC", "drw".

At the time of writing, the links were not working.

Using the extracted driver, it blocks connections to domains which addresses contain the following substrings: 

cureit. 
drweb.
onlinescan.
spywareinfo.
ewido.
virusscan.
windowsecurity.
spywareguide.
bitdefender.
pandasoftware.
agnmitum.
virustotal.
sophos.
trendmicro.
etrust.com
symantec.
mcafee.
f-secure.
eset.com
kaspersky

Infecting Files

It infects Windows (PE-EXE) executable files with the following extensions: 

EXE 
SCR

The virus does not infect files that are larger than 20,971,520 bytes and less than 512 bytes. It infects only files that contain the PE-header section: 

TEXT
UPX
CODE

Upon infection, the virus expands the last section in a PE file, and appends its body to the end. Search of files for infection is performed on all logical drives of a hard disk. When running an infected file, the malicious program copies the original uninfected file to created temporary directory called: 

%Temp%\<rnd>__Rar\<name of the executable file>.exe

Startup

To start the original file automatically, the malicious program creates a hidden file in the root of all logical drives: 

<X>:\autorun.inf

It stores startup commands of the malicious program. When opening a logical drive using Windows Explorer, the malicious program is launched.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

  1. Terminate the malicious process using the Task Manager.
  2. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  3. Delete the registry key: 
    [HKCU\Software\914]
  4. Delete the values in the registry keys: 
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 
""=":*:Enabled:ipsec"
  5. Enable UAC (User Account Control) if it is needed: 
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"=dword:00000001
  6. Resume the system services operation which have been stopped by the malicious program.
  7. Delete the file if exists 
    %Temp%\win.exe
    here rnd is 4 random Latin letters.
  8. Perform a full system scan using an antivirus program with updated anti-virus databases (download a trial version).

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://totalmalwareinfo.com/eng/Virus.Win32.Sality.aa"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.