Home / malware Virus:Win32/Sality.AT
First posted on 15 February 2019.
Source: MicrosoftAliases :
Virus:Win32/Sality.AT is also known as W32/Sality.B.gen!Eldorado, W32/Sality.AT, Win32/Sality.AA, Win32.Sector.21, Win32/Sality.NBA, Trojan.Win32.Vilsel.vyy, W32/Sality.gen.e, W32/Sality.BD, W32/Spamta.QO.worm, Win32.KUKU.kj, Troj/SalLoad-A, PE_SALITY.BA.
Explanation :
Installation
Sality.AT drops a device driver as the following:
%SystemRoot%system32driversamsint32.sys
We detect this driver as Trojan:WinNT/Sality.
The virus creates and starts a system service named amsint32 to run the dropped driver component. Sality.AT communicates with the driver component to restore the system service descriptor table (SSDT).
Spreads through…
File infection
Sality.AT injects code into all running processes to load and run the virus and infect Windows executable files with extension .EXE or .SCR. The virus seeks other target files by reading file names found in the following registry subkeys:
HKCUSoftwareMicrosoftWindowsShellNoRoamMUICache HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sality.AT does not infect files protected by SFC or if the file name starts with one of the following strings:
_AVPM. AVWUPSRV. GUARDGUI. NPROTECT. SITECLI. A2GUARD. AVXMONITOR9X. GUARDNT. NSCHED32. SPBBCSVC. AAVSHIELD. AVXMONITORNT. HREGMON. NSMDTR. SPHINX. AVAST AVXQUAR. HRRES. NSSSERV. SPIDERCPL. ADVCHK. BDMCON. HSOCKPE. NSSTRAY. SPIDERML. AHNSD. BDNEWS. HUPDATE. NTRTSCAN. SPIDERNT. AIRDEFENSE BDSUBMIT. IAMAPP. NTOS. SPIDERUI. ALERTSVC BDSWITCH. IAMSERV. NTXCONFIG. SPYBOTSD. ALOGSERV BLACKD. ICLOAD95. NUPGRADE. SPYXX. ALSVC. BLACKICE. ICLOADNT. NVCOD. SS3EDIT. AMON. CAFIX. ICMON. NVCTE. STOPSIGNAV. ANTI-TROJAN. CCAPP. ICSSUPPNT. NVCUT. SWAGENT. AVZ. CCEVTMGR. ICSUPP95. NWSERVICE. SWDOCTOR. ANTIVIR CCPROXY. ICSUPPNT. OFCPFWSVC. SWNETSUP. APVXDWIN. CCSETMGR. IFACE. OUTPOST SYMLCSVC. ARMOR2NET. CFIAUDIT. INETUPD. OP_MON. SYMPROXYSVC. ASHAVAST. CLAMTRAY. INOCIT. PAVFIRES. SYMSPORT. ASHDISP. CLAMWIN. INORPC. PAVFNSVR. SYMWSC. ASHENHCD. CLAW95. INORT. PAVKRE. SYNMGR. ASHMAISV. CUREIT INOTASK. PAVPROT. TAUMON. ASHPOPWZ. DEFWATCH. INOUPTNG. PAVPROXY. TBMON. ASHSERV. DRVIRUS. IOMON98. PAVPRSRV. AVAST ASHSIMPL. DRWADINS. ISAFE. PAVSRV51. TMLISTEN. ASHSKPCK. DRWEB32W. ISATRAY. PAVSS. TMNTSRV. ASHWEBSV. DRWEBSCD. ISRV95. PCCGUIDE. TMPFW. ASWUPDSV. DRWEBUPW. ISSVC. PCCIOMON. TMPROXY. ATCON. DWEBLLIO KAV. PCCNTMON. TNBUTIL. ATUPDATER. DWEBIO KAVMM. PCCPFW. TRJSCAN. ATWATCH. ESCANH95. KAVPF. PCCTLCOM. UP2DATE. AVCIMAN. ESCANHNT. KAVPFW. PCTAV. VBA32ECM. AVCONSOL. EWIDOCTRL. KAVSTART. PERSFW. VBA32IFS. AVENGINE. EZANTIVIRUSREGISTRATIONCHECK. KAVSVC. PERTSK. VBA32LDR. AVESVC. F-AGNT95. KAVSVCUI. PERVAC. VBA32PP3. AVGAMSVR. FAMEH32. KMAILMON. PNMSRV. VBSNTW. AVGCC. FILEMON KPFWSVC. POP3TRAP. VCRMON. AVGCC32. FIRESVC. MCAGENT. POPROXY. VPTRAY. AVGCTRL. FIRETRAY. MCMNHDLR. PREVSRV. VRFWSVC. AVGEMC. FIREWALL. MCREGWIZ. PSIMSVC. VRMONNT. AVGFWSRV. FPAVUPDM. MCUPDATE. QHONLINE. VRMONSVC. AVGNT. FRESHCLAM. MCVSSHLD. QHONSVC. VRRW32. AVGNTDD EKRN. MINILOG. QHWSCSVC. VSECOMR. AVGNTMGR FSAV32. MYAGTSVC. RAVMON. VSHWIN32. AVGSERV. FSAVGUI. MYAGTTRY. RAVTIMER. VSMON. AVGUARD. FSBWSYS. NAVAPSVC. AVGNT VSSERV. AVGUPSVC. F-SCHED. NAVAPW32. AVCENTER. VSSTAT. AVINITNT. FSDFWD. NAVLU32. RFWMAIN. WATCHDOG. AVKSERV. FSGK32. NAVW32. RTVSCAN. WEBSCANX. AVKSERVICE. FSGK32ST. NEOWATCHLOG. RTVSCN95. WEBTRAP. AVKWCTL. FSGUIEXE. NEOWATCHTRAY. RULAUNCH. WGFE95. AVP. FSMA32. NISSERV SALITY WINAW32. AVP32. FSMB32. NISUM. SAVADMINSERVICE. WINROUTE. AVPCC. FSPEX. NMAIN. SAVMAIN. WINSS. AVPM. FSSM32. NOD32 SAVPROGRESS. WINSSNOTIFY. AVAST F-STOPW. NORMIST. SAVSCAN. WRCTRL. AVSERVER. GCASDTSERV. NOTSTART. SCANNINGPROCESS. XCOMMSVR. AVSCHED32. GCASSERV. NPAVTRAY. SDRA64. ZAUINST AVSYNMGR. GIANTANTISPYWAREMAIN. NPFMNTOR. SDHELP. ZLCLIENT AVWUPD32. GIANTANTISPYWAREUPDATER. NPFMSG. SHSTAT. ZONEALARM
Removable and remote drives
Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:
%SystemRoot%system32NOTEPAD.EXE %SystemRoot%system32WINMINE.EXE
The virus copies the infected file to the root of all remote and removable drives as one of the following:
.pif .exe .cmd
The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.
Payload
Prevents booting Windows in safe mode
Sality.AT recursively deletes all registry values and data under the following registry subkeys, preventing you from starting Windows in safe mode:
HKLMSystemCurrentControlSetControlSafeBoot HKCUSystemCurrentControlSetControlSafeBoot
Disables security monitoring software
Sality.AT reads the system service descriptor table (SSDT) directly from the NT kernel (ntoskrnl.exe) and passes the original SSDT to a buffer created by the driver component (Trojan:WinNT/Sality). System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior might block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.
Deletes security-related files
This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:
.AVC .VDB
Stops security-related services
Win32/Sality tries to stop and delete the following security-related services:
Agnitum Client Security Service cmdGuard PAVSRV ALG cmdAgent PcCtlCom Amon monitor Eset Service PersonalFirewal aswUpdSv Eset HTTP Server PREVSRV aswMon2 Eset Personal Firewall ProtoPort Firewall service swRdr F-Prot Antivirus Update Monitor PSIMSVC aswSP fsbwsys RapApp aswTdi FSDFWD SmcService aswFsBlk F-Secure Gatekeeper Handler Starter SNDSrvc acssrv FSMA SPBBCSvc AV Engine Google Online Services SpIDer FS Monitor for Windows NT avast! iAVS4 Control Service InoRPC SpIDer Guard File System Monitor avast! Antivirus InoRT SPIDERNT avast! Mail Scanner InoTask Symantec Core LC avast! Web Scanner ISSVC Symantec Password Validation avast! Asynchronous Virus Monitor KPF4 Symantec AntiVirus Definition Watcher avast! Self Protection KLIF SavRoam AVG E-mail Scanner LavasoftFirewall Symantec AntiVirus Avira AntiVir Premium Guard LIVESRV Tmntsrv Avira AntiVir Premium WebGuard McAfeeFramework TmPfw Avira AntiVir Premium MailGuard McShield tmproxy AVP McTaskManager tcpsr avp1 navapsvc UmxAgent BackWeb Plug-in - 4476822 NOD32krn UmxCfg bdss NPFMntor UmxLU BGLiveSvc NSCService UmxPol BlackICE Outpost Firewall main module vsmon CAISafe OutpostFirewall VSSERV ccEvtMgr PAVFIRES WebrootDesktopFirewallDataService ccProxy PAVFNSVR WebrootFirewall ccSetMgr PavProt XCOMM COMODO Firewall Pro Sandbox Driver PavPrSrv
Stops security-related processes
Win32/Sality tries to stop security-related processes if their process name starts with any of these strings:
AVPM. AVWUPSRV. GUARDGUI. NPROTECT. SITECLI. A2GUARD. AVXMONITOR9X. GUARDNT. NSCHED32. SPBBCSVC. AAVSHIELD. AVXMONITORNT. HREGMON. NSMDTR. SPHINX. AVAST AVXQUAR. HRRES. NSSSERV. SPIDERCPL. ADVCHK. BDMCON. HSOCKPE. NSSTRAY. SPIDERML. AHNSD. BDNEWS. HUPDATE. NTRTSCAN. SPIDERNT. AIRDEFENSE BDSUBMIT. IAMAPP. NTOS. SPIDERUI. ALERTSVC BDSWITCH. IAMSERV. NTXCONFIG. SPYBOTSD. ALOGSERV BLACKD. ICLOAD95. NUPGRADE. SPYXX. ALSVC. BLACKICE. ICLOADNT. NVCOD. SS3EDIT. AMON. CAFIX. ICMON. NVCTE. STOPSIGNAV. ANTI-TROJAN. CCAPP. ICSSUPPNT. NVCUT. SWAGENT. AVZ. CCEVTMGR. ICSUPP95. NWSERVICE. SWDOCTOR. ANTIVIR CCPROXY. ICSUPPNT. OFCPFWSVC. SWNETSUP. APVXDWIN. CCSETMGR. IFACE. OUTPOST SYMLCSVC. ARMOR2NET. CFIAUDIT. INETUPD. OP_MON. SYMPROXYSVC. ASHAVAST. CLAMTRAY. INOCIT. PAVFIRES. SYMSPORT. ASHDISP. CLAMWIN. INORPC. PAVFNSVR. SYMWSC. ASHENHCD. CLAW95. INORT. PAVKRE. SYNMGR. ASHMAISV. CUREIT INOTASK. PAVPROT. TAUMON. ASHPOPWZ. DEFWATCH. INOUPTNG. PAVPROXY. TBMON. ASHSERV. DRVIRUS. IOMON98. PAVPRSRV. AVAST ASHSIMPL. DRWADINS. ISAFE. PAVSRV51. TMLISTEN. ASHSKPCK. DRWEB32W. ISATRAY. PAVSS. TMNTSRV. ASHWEBSV. DRWEBSCD. ISRV95. PCCGUIDE. TMPFW. ASWUPDSV. DRWEBUPW. ISSVC. PCCIOMON. TMPROXY. ATCON. DWEBLLIO KAV. PCCNTMON. TNBUTIL. ATUPDATER. DWEBIO KAVMM. PCCPFW. TRJSCAN. ATWATCH. ESCANH95. KAVPF. PCCTLCOM. UP2DATE. AVCIMAN. ESCANHNT. KAVPFW. PCTAV. VBA32ECM. AVCONSOL. EWIDOCTRL. KAVSTART. PERSFW. VBA32IFS. AVENGINE. EZANTIVIRUSREGISTRATIONCHECK. KAVSVC. PERTSK. VBA32LDR. AVESVC. F-AGNT95. KAVSVCUI. PERVAC. VBA32PP3. AVGAMSVR. FAMEH32. KMAILMON. PNMSRV. VBSNTW. AVGCC. FILEMON KPFWSVC. POP3TRAP. VCRMON. AVGCC32. FIRESVC. MCAGENT. POPROXY. VPTRAY. AVGCTRL. FIRETRAY. MCMNHDLR. PREVSRV. VRFWSVC. AVGEMC. FIREWALL. MCREGWIZ. PSIMSVC. VRMONNT. AVGFWSRV. FPAVUPDM. MCUPDATE. QHONLINE. VRMONSVC. AVGNT. FRESHCLAM. MCVSSHLD. QHONSVC. VRRW32. AVGNTDD EKRN. MINILOG. QHWSCSVC. VSECOMR. AVGNTMGR FSAV32. MYAGTSVC. RAVMON. VSHWIN32. AVGSERV. FSAVGUI. MYAGTTRY. RAVTIMER. VSMON. AVGUARD. FSBWSYS. NAVAPSVC. AVGNT VSSERV. AVGUPSVC. F-SCHED. NAVAPW32. AVCENTER. VSSTAT. AVINITNT. FSDFWD. NAVLU32. RFWMAIN. WATCHDOG. AVKSERV. FSGK32. NAVW32. RTVSCAN. WEBSCANX. AVKSERVICE. FSGK32ST. NEOWATCHLOG. RTVSCN95. WEBTRAP. AVKWCTL. FSGUIEXE. NEOWATCHTRAY. RULAUNCH. WGFE95. AVP. FSMA32. NISSERV SALITY WINAW32. AVP32. FSMB32. NISUM. SAVADMINSERVICE. WINROUTE. AVPCC. FSPEX. NMAIN. SAVMAIN. WINSS. AVPM. FSSM32. NOD32 SAVPROGRESS. WINSSNOTIFY. AVAST F-STOPW. NORMIST. SAVSCAN. WRCTRL. AVSERVER. GCASDTSERV. NOTSTART. SCANNINGPROCESS. XCOMMSVR. AVSCHED32. GCASSERV. NPAVTRAY. SDRA64. ZAUINST AVSYNMGR. GIANTANTISPYWAREMAIN. NPFMNTOR. SDHELP. ZLCLIENT AVWUPD32. GIANTANTISPYWAREUPDATER. NPFMSG. SHSTAT. ZONEALARM
Additionally, Sality.AT kills processes that have following modules loaded:
DWEBLLIO DWEBIO
Changes Windows settings
Sality.AT changes the registry to disable Windows Registry Editor:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciessystem
Sets value: "DisableRegistryTools"
With data: "1"
The virus changes the registry to prevent viewing files with hidden attributes.
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer
Sets value: "Hidden"
With data: "2"
Lowers PC security
Sality.AT changes the registry to bypass the Windows firewall.
In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
Sets value: ":*:enabled:ipsec"
With data: ""
The virus changes other registry data that lower the security of the infected PC. Sality.AT changes the following registry data to change Windows Security Center and Windows Firewall settings.
In subkey: HKLMSOFTWAREMicrosoftSecurity Center
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc
Sets value: "AntiVirusDisableNotify"
With data: "1"
In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc
Sets value: "FirewallOverride"
With data: "1"
In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc
Sets value: "FirewallDisableNotify"
With data: "1"
In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
Sets value "EnableFirewall"
With data: "0"
Downloads files
Sality.AT tries to download files from remote servers to the local drive, then decrypts and runs the downloaded files. We have observed the virus to connect to the following servers:
www.klkjwre9fqwieluoi.info kukutrustnet777888.info klkjwre77638dfqwieuoi888.info 89.119.67.154 kukutrustnet777.info kukutrustnet888.info kukutrustnet987.info
At the time of this writing, retrieved files were identified as the following:
TrojanProxy:Win32/Pramro.F TrojanSpy:Win32/Keatep.B
Analysis by Shawn Wang and Hamish O'DeaLast update 15 February 2019
