Home / malwarePDF  

Spammer:Win32/Sality.A


First posted on 14 September 2017.
Source: Microsoft

Aliases :

There are no other names known for Spammer:Win32/Sality.A.

Explanation :

Spammer:Win32/Sality.A is a detection for malware that searches a user's Outlook address book and Internet Explorer cached files for e-mail addresses to send spammed messages to.

Installation

Spammer:Win32/Sality.A may be dropped and installed by other malware. It may arrive in the system using a random file name. Upon execution, it creates a mutex, for example, '65r9nmjhWIO', to ensure that only one instance of itself is running.

Payload

Modifies system settings
Spammer:Win32/Sality.A modifies the Windows Firewall policy list to allow itself to bypass the firewall and access the Internet: Adds value: ""
with data: ":Enabled:ipsec"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List where is the malware file name. Sends spammed e-mail messages
Spammer:Win32/Sality.A attempts to search the user's Outlook address book and Internet Explorer's cached files for e-mail addresses. It then connects to a remote server, for example, 85.17.167.196, to submit its obtained addresses. From the same server it then retrieves spam e-mail message contents and SMTP servers through which the messages are sent. Prior to sending out the spammed e-mail messages, it checks if the system's IP address is blocked by the following spam-blocking services: bl.spamcop.net
cbl.abuseat.org
list.dsbl.org
sbl-xbl.spamhaus.org
zen.spamhaus.org
combined.njabl.org
multihop.dsbl.org
blackholes.uceb.org
bl.csma.biz
db.wpbl.info
dnsbl.njabl.org

Analysis by Shawn Wang

Last update 14 September 2017

 

TOP