Home / malware Worm:Win32/Sality.AU
First posted on 15 February 2019.
Source: MicrosoftAliases :
Worm:Win32/Sality.AU is also known as Trojan-Dropper.Win32.Sality.b, Win32/Sality.NBA, Mal/Sality-D, PE_SALITY.LNK-O.
Explanation :
Worm:Win32/Sality.AU is a worm that spreads a file detected as Virus:Win32/Sality.AU into network shares. Worm:Win32/Sality.AU also drops .LNK files, detected as Exploit:Win32/CplLnk.A, which automatically run the dropped virus. Installation Worm:Win32/Sality.AU creates the following mutex: woemnm593jfe It also creates the following registry entry as part of its installation routine: Adds value: "session" with data:
To subkey : HKCUSOFTWAREzrfke Spreads via... Network shares Worm:Win32/Sality.AU enumerates network resources in the computer to look for network shares. If found, Worm:Win32/Sality.AU drops the following file: ~<5 random alphanumeric characters>.tmp - detected as Virus:Win32/Sality.AU for example: \ ~24e1e.tmp To run the dropped virus, it also drops any of the following .LNK files, which are detected as Exploit:Win32/CplLnk.A: Aline.lnk AnnaBensonSexvideo.lnk Anna.lnk Audra.lnk Badgirl.lnk Barbi.lnk BritneySpearsXXX.lnk Caitie.lnk CopyofNewFile.lnk CopyofNewFolder.lnk CopyofShortcut.lnk Drivers.lnk Fotograf.lnk Galleryphotos.lnk Jammie.lnk JennaElfmansexanaldeepthroat.lnk Juli.lnk Julie.lnk KateBeckinsalenudepictures.lnk Katrina.lnk Katrina.lnk Kelley.lnk Lisa.lnk Mandy.lnk Mary-Anne.lnk Mary.lnk MissAmericaPorno.lnk MyPhotos.lnk Mybeautifulperson.lnk Myphotoalbum.lnk Myphotos.lnk Myphotos.lnk NewFolder.lnk NewShortcut.lnk ParisHiltonXXXArchive.lnk Photoalbum.lnk Picture.lnk PornoScreensaver.lnk Rena.lnk Sara.lnk Serials.lnkBarrettJacksonnudephotos.lnk Shortcut.lnk Tammy.lnk XXXhardcore.lnk XXX.lnkXXX archive.lnk beautiful.lnk caroline.lnk groom.lnk kate.lnk kleopatra.lnk rebecca.lnk stacy.lnk Analysis by Marianne Mallen Last update 15 February 2019
