Home / malwarePDF  

Virus:Win32/Sality.T


First posted on 29 April 2019.
Source: Microsoft

Aliases :

Virus:Win32/Sality.T is also known as Win32/Sality.S, W32/Sality-AD, Win32.Sality.N, W32/Sality.AC, W32.Sality.X, PE_SALITY.AL.

Explanation :

Virus:Win32/Sality.T is a file infector that targets files with extensions .SCR or .EXE. This virus may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. InstallationUpon execution, Virus:Win32/Sality.T drops its malicious code as the following files:  wmdrtc32.dll wmdrtc32.dl_ Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It then creates the mutex "_kuku_joker_v4.00" to prevent more than one instance of itself running in memory at one time. Spreads Via... Infecting FilesVirus:Win32/Sality.T targets all files in drive C:, beginning with the root folder, that have file extensions of either .EXE or .SCR. It infects found files by adding a new code section to the host and inserting its malicious code into this newly added section. Payload Deletes Security-Related FilesThis virus deletes security data files including detection patterns or signatures that have the following file extensions:
.AVC
.KEY
.VDB  Terminates Security-Related Processes
This virus terminates processes that begin with any of the following strings, which are usually associated with security applications: _AVPM.                      
ADVCHK.                     
AHNSD.                      
ALOGSERV                    
ANTI-TROJAN.                
APVXDWIN.                   
ARMOR2NET.                  
ASHDISP.                    
ASHMAISV.                   
ASHPOPWZ.                   
ASHSERV.                    
ASHSKPCK.                   
ASHWEBSV.                   
ASWUPDSV.                   
ATCON.                      
AUTOTRACE.                  
AVCIMAN.                    
AVENGINE.                   
AVGAMSVR.                   
AVGCC.                      
AVGFWSRV.                   
AVGNT.                      
AVGNTMGR                    
AVINITNT.                   
AVKSERV.                    
AVKWCTL.                    
AVPUPD.                     
AVSCHED32.                  
AVWUPD32.                   
AVWUPSRV.                   
AVXMONITOR9X.               
AVXMONITORNT.               
AVXQUAR.                    
BDNEWS.                     
BDOESRV.                    
BDSUBMIT.                   
BDSWITCH.                   
BLACKD.                     
BLACKICE.                   
CAFIX.                      
CCPROXY.                    
CFIAUDIT.                   
CLAMTRAY.                   
CLAMWIN.                    
CLAW95CF.                   
CLEANER.                    
CLEANER3.                   
CLISVC.                     
CMGRDIAN.                   
DOORS.                      
DRWEB32W.                   
DRWEBSCD.                   
DRWEBUPW.                   
ESCANH95.                   
ESCANHNT.                   
EWIDOCTRL.                  
F-AGNT95.                   
FCH32.                      
FIRESVC.                    
FIREWALL.                   
FPAVUPDM.                   
F-PROT95.                   
FSAVGUI.                    
FSGK32.                     
FSGK32ST.                   
FSGUIEXE.                   
FSM32.                      
FSMB32.                     
FSPEX.                      
F-STOPW.                    
GCASSERV.                   
GIANTANTISPYWAREMAIN.       
GIANTANTISPYWAREUPDATER.    
GUARDNT.                    
IAMSERV.                    
ICLOADNT.                   
ICMON.                      
ICSSUPPNT.                  
ICSUPP95.                   
ICSUPPNT.                   
IFACE.                      
INORPC.                     
INORT.                      
IOMON98.                    
ISSVC.                      
KAVSTART.                   
KAVSVC.                     
KAVSVCUI.                   
KMAILMON.                   
KPFWSVC.                    
LOCKDOWN2000.               
LOGWATNT.                   
LUALL.                      
MCAGENT.                    
MCREGWIZ.                   
MCUPDATE.                   
MCVSSHLD.                   
MINILOG.                    
MYAGTTRY.                   
NAVAPSVC.                   
NAVAPW32.                   
NAVLU32.                    
NDD32.                      
NISSERV                     
NISUM.                      
NORMIST.                    
NPAVTRAY.                   
NPFMNTOR.                   
NPFMSG.                     
NPROTECT.                   
NSCHED32.                   
NSMDTR.                     
NSSSERV.                    
NTXCONFIG.                  
NVC95.                      
NVCOD.                      
PAVFNSVR.                   
PAVKRE.                     
PAVPROT.                    
PAVPRSRV.                   
PAVSRV51.                   
PAVSS.                      
PCCIOMON.                   
PCCNTMON.                   
PCCPFW.                     
PCCTLCOM.                   
PCTAV.                      
PERTSK.                     
PERVAC.                     
PNMSRV.                     
POP3TRAP.                   
POPROXY.                    
QHONSVC.                    
QHWSCSVC.                   
RAVMON.                     
RAVTIMER.                   
REALMON.                    
RFWMAIN.                    
RTVSCAN.                    
RTVSCN95.                   
SAVADMINSERVICE.            
SCANNINGPROCESS.            
SHSTAT.                     
SITECLI.                    
SPHINX.                     
SPIDERML.                   
SPIDERNT.                   
SPIDERUI.                   
SPYBOTSD.                   
SPYXX.                      
SWAGENT.                    
SWNETSUP.                   
SYMLCSVC.                   
SYMPROXYSVC.                
SYMWSC.                     
SYNMGR.                     
TAUMON.                     
TBMON.                      
TCA.                        
TCM.                        
TDS-3.                      
TEATIMER.                   
TFAK.                       
THAV.                       
THSM.                       
TMAS.                       
TMLISTEN.                   
TMNTSRV.                    
VBA32IFS.                   
VBA32LDR.                   
VBA32PP3.                   
VBSNTW.                     
VCHK.                       
VCRMON.                     
VETTRAY.                    
VRFWSVC.                    
VRRW32.                     
VSECOMR.                    
VSMON.                      
VSSTAT.                     
WATCHDOG.                   
WEBPROXY.                   
WEBSCANX.                   
WEBTRAP.                    
WINAW32.                    
WINSS.                      
XCOMMSVR.                   
ZATUTOR.                    
ZONEALARM.   Terminates Services
This virus terminates services that have the following names, which are usually associated with antivirus applications: aswUpdSv
avast! Antivirus
avast! Mail Scanner
BlackICE
ccSetMgr
fsbwsys
fshttps
InoTask
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
Outpost Firewall main module
PAVFIRES
PavPrSrv
PREVSRV
ProtoPort Firewall service
RapApp
SmcService
SNDSrvc
Symantec Core LC
Tmntsrv
UmxAgent
VSSERV
AVP 
Downloads FilesThis virus may connect to remote websites to download and execute additional and possibly malicious programs. It checks for Internet access by attempting a connection with the domain www.microsoft.com. If a successful connection is made, Win32/Sality.T may connect to pages within the website "kukutrustnet666.info" and attempt to download files. Downloaded files are saved and run in the %TEMP% folder.  Analysis by Francis Allan Tan Seng

Last update 29 April 2019

 

TOP