Home / malware Virus:Win32/Sality.G
First posted on 04 May 2010.
Source: SecurityHomeAliases :
Virus:Win32/Sality.G is also known as Win32/Sality.F (AhnLab), W32/Sality.k (Authentium (Command)), Trojan.Win32.Scar.bxqc (Kaspersky), W32/Sality.n (Norman), Win32.Sality.L (VirusBuster), Virus found Win32/Sality (AVG), W32/Sality.l (Avira), Win32/Sality.J (CA), Trojan.MulDrop.55658 (Dr.Web), Win32/Sality.NAE (ESET), Virus.Win32.Flot (Ikarus), Trojan.Win32.Scar.bxqc (Kaspersky), Infected: Virus:Win32/Sality.gen!enc (Mi, W32/Sality.O (Panda), Win32.Sality (Rising AV), W32/Sality-AI (Sophos), Win32.Sality.AE (Sunbelt Software), W32.HLLP.Sality.O (Symantec), PE_SALITY.AE (Trend Micro) more.
Explanation :
Virus:Win32/Sality.G is the detection for files that have been infected by Virus:Win32/Sality.G.dll. Virus:Win32/Sality.G and Virus:Win32/Sality.G.dll are variants if the Virus:Win32/Sality, a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. They may also download and execute arbitrary files from a remote server. For more information, please see the detailed Virus:Win32/Sality family descriptionelsewhere in the encyclopedia.
Top
Virus:Win32/Sality.G is the detection for files that have been infected by Virus:Win32/Sality.G.dll. Virus:Win32/Sality.G and Virus:Win32/Sality.G.dll are variants if the Virus:Win32/Sality, a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. They may also download and execute arbitrary files from a remote server. For more information, please see the detailed Virus:Win32/Sality family descriptionelsewhere in the encyclopedia. InstallationVirus:Win32/Sality.G.dll may be dropped and loaded as %systemroot%\system32\wmimgr32.dll by Virus:Win32/Sality.G. Virus:Win32/Sality.G.dll is loaded into other processes by installing a message hook (a function that enables Virus:Win32/Sality.G to load itself into other processes). Virus:Win32/Sality.G.dll creates a mutex named "kuku_joker_v3.04" to prevent more than one instance of itself from running in the memory at the same time. Spreads via€¦ File infection / network sharesWhen executed, Virus:Win32/Sality.G drops the compressed payload and file infecting component (Virus:Win32/Sality.G.dll) as %systemroot%\system32\wmimgr32.dl_ and decompresses it as %systemroot%\system32\wmimgr32.dll. Virus:Win32/Sality.G loads the decompressed payload component immediately, then jumps back to the original code entry point of the infected file. Virus:Win32/Sality.G.dll tries to infect PE files with extension ".EXE" and ".SCR" from local drives and network shares. Files protected by SFC (System File Check) or those whose file name contains following strings will not be infected: "KAV" "NOD" "ANTI" "SCAN" "ZONE" "ANDA" "TROJ" "TREN" "ALER" "CLEAN" "OUTP" "GUAR" "AVP" "TOTAL" Payload Deletes files Virus:Win32/Sality.G.dll tries to delete files with following extensions. ".tjc" ".avc" ".key" ".vdb" Downloads and executes arbitrary files Virus:Win32/Sality.G.dll tries to download and execute files from a remote server. Files are downloaded to the %TEMP% directory then executed. Note - %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000, XP and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for Vista and Windows 7 is C:\Users\<user name>\AppData\Local\Temp. In the wild, we have observed Virus:Win32/Sality.G.dll attempting to download files from these domains: rus0396kuku.com kukunet11581q.com Additional informationFor more information, please see the description for Virus:Win32/Sality.G.dll elsewhere in our encyclopedia.
Analysis by Shawn WangLast update 04 May 2010