Home / malwarePDF  

Virus:Win32/Sality.gen!AT


First posted on 02 September 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Sality.gen!AT is also known as Trojan.Win32.Vilsel.amql (Kaspersky), W32/Spambot.gen.1126471 (Norman), Win32/Maazben!generic (CA), Win32/Sality.NBA (ESET), Virus.Win32.Sality (Ikarus), W32/Sality!inf (McAfee), Trojan.PSW.Win32.GameOL.udx (Rising AV), Troj/Salload-D (Sophos), TROJ_VILSEL.ZZ (Trend Micro).

Explanation :

Virus:Win32/Sality.gen!AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server.
Top

Virus:Win32/Sality.gen!AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server. InstallationVirus:Win32/Sality.gen!AT may drop a device driver detected as Trojan:WinNT/Sality: %windir%\system32\drivers\ Spreads via€¦ File infectionVirus:Win32/Sality.gen!AT injects code into all running processes to load and run the virus and infect Windows executable files with extension ".EXE" or ".SCR". The virus seeks other target files by reading file names found in the following registry subkeys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run Removable and remote drivesVirus:Win32/Sality.gen!AT attempts to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file: %windir%\system32\NOTEPAD.EXE %windir%\system32\WINMINE.EXE The virus copies the infected file to the root of all remote and removable drives as one of the following: \<random>.pif \<random>.exe \<random>.cmd The virus then writes an Autorun configuration file named "autorun.inf" pointing to the virus copy. When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically. Payload Deletes security-related filesThis virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:

  • .AVC
  • .VDB
  • Terminates security-related services
    Win32/Sality attempts to stop and delete the following security-related services: acssrv Agnitum Client Security Service ALG Amon monitor aswFsBlk aswMon2 aswRdr aswSP aswTdi aswUpdSv AV Engine avast! Antivirus avast! Asynchronous Virus Monitor avast! iAVS4 Control Service avast! Mail Scanner avast! Self Protection avast! Web Scanner AVG E-mail Scanner Avira AntiVir Premium Guard Avira AntiVir Premium MailGuard Avira AntiVir Premium WebGuard AVP avp1 BackWeb Plug-in - 4476822 bdss BGLiveSvc BlackICE CAISafe ccEvtMgr ccProxy ccSetMgr cmdAgent cmdGuard COMODO Firewall Pro Sandbox Driver Eset HTTP Server Eset Personal Firewall Eset Service F-Prot Antivirus Update Monitor F-Secure Gatekeeper Handler Starter fsbwsys FSDFWD FSMA Google Online Services InoRPC InoRT InoTask ISSVC KLIF KPF4 LavasoftFirewall LIVESRV McAfeeFramework McShield McTaskManager navapsvc NOD32krn NPFMntor NSCService Outpost Firewall main module OutpostFirewall PAVFIRES PAVFNSVR PavProt PavPrSrv PAVSRV PcCtlCom PersonalFirewal PREVSRV ProtoPort Firewall service PSIMSVC RapApp SavRoam SmcService SNDSrvc SPBBCSvc SpIDer FS Monitor for Windows NT SpIDer Guard File System Monitor SPIDERNT Symantec AntiVirus Symantec AntiVirus Definition Watcher Symantec Core LC Symantec Password Validation tcpsr Tmntsrv TmPfw tmproxy UmxAgent UmxCfg UmxLU UmxPol vsmon VSSERV WebrootDesktopFirewallDataService WebrootFirewall XCOMM Terminates security-related processesWin32/Sality attempts to terminate the following security-related processes: _AVPM. A2GUARD. AAVSHIELD. ADVCHK. AHNSD. AIRDEFENSE ALERTSVC ALOGSERV ALSVC. AMON. ANTI-TROJAN. ANTIVIR APVXDWIN. ARMOR2NET. ASHAVAST. ASHDISP. ASHENHCD. ASHMAISV. ASHPOPWZ. ASHSERV. ASHSIMPL. ASHSKPCK. ASHWEBSV. ASWUPDSV. ATCON. ATUPDATER. ATWATCH. AVAST AVCENTER. AVCIMAN. AVCONSOL. AVENGINE. AVESVC. AVGAMSVR. AVGCC. AVGCC32. AVGCTRL. AVGEMC. AVGFWSRV. AVGNT AVGNT. AVGNTDD AVGNTMGR AVGSERV. AVGUARD. AVGUPSVC. AVINITNT. AVKSERV. AVKSERVICE. AVKWCTL. AVP. AVP32. AVPCC. AVPM. AVSCHED32. AVSERVER. AVSYNMGR. AVWUPD32. AVWUPSRV. AVXMONITOR9X. AVXMONITORNT. AVXQUAR. AVZ. BDMCON. BDNEWS. BDSUBMIT. BDSWITCH. BLACKD. BLACKICE. CAFIX. CCAPP. CCEVTMGR. CCPROXY. CCSETMGR. CFIAUDIT. CLAMTRAY. CLAMWIN. CLAW95. CUREIT DEFWATCH. DRVIRUS. DRWADINS. DRWEB32W. DRWEBSCD. DRWEBUPW. DWEBIO DWEBLLIO EKRN. ESCANH95. ESCANHNT. EWIDOCTRL. EZANTIVIRUSREGISTRATIONCHECK. F-AGNT95. F-SCHED. F-STOPW. FAMEH32. FILEMON FIRESVC. FIRETRAY. FIREWALL. FPAVUPDM. FRESHCLAM. FSAV32. FSAVGUI. FSBWSYS. FSDFWD. FSGK32. FSGK32ST. FSGUIEXE. FSMA32. FSMB32. FSPEX. FSSM32. GCASDTSERV. GCASSERV. GIANTANTISPYWAREMAIN. GIANTANTISPYWAREUPDATER. GUARDGUI. GUARDNT. HREGMON. HRRES. HSOCKPE. HUPDATE. IAMAPP. IAMSERV. ICLOAD95. ICLOADNT. ICMON. ICSSUPPNT. ICSUPP95. ICSUPPNT. IFACE. INETUPD. INOCIT. INORPC. INORT. INOTASK. INOUPTNG. IOMON98. ISAFE. ISATRAY. ISRV95. ISSVC. KAV. KAVMM. KAVPF. KAVPFW. KAVSTART. KAVSVC. KAVSVCUI. KMAILMON. KPFWSVC. MCAGENT. MCMNHDLR. MCREGWIZ. MCUPDATE. MCVSSHLD. MINILOG. MYAGTSVC. MYAGTTRY. NAVAPSVC. NAVAPW32. NAVLU32. NAVW32. NEOWATCHLOG. NEOWATCHTRAY. NISSERV NISUM. NMAIN. NOD32 NORMIST. NOTSTART. NPAVTRAY. NPFMNTOR. NPFMSG. NPROTECT. NSCHED32. NSMDTR. NSSSERV. NSSTRAY. NTOS. NTRTSCAN. NTXCONFIG. NUPGRADE. NVCOD. NVCTE. NVCUT. NWSERVICE. OFCPFWSVC. OP_MON. OUTPOST PAVFIRES. PAVFNSVR. PAVKRE. PAVPROT. PAVPROXY. PAVPRSRV. PAVSRV51. PAVSS. PCCGUIDE. PCCIOMON. PCCNTMON. PCCPFW. PCCTLCOM. PCTAV. PERSFW. PERTSK. PERVAC. PNMSRV. POP3TRAP. POPROXY. PREVSRV. PSIMSVC. QHONLINE. QHONSVC. QHWSCSVC. RAVMON. RAVTIMER. RFWMAIN. RTVSCAN. RTVSCN95. RULAUNCH. SALITY SAVADMINSERVICE. SAVMAIN. SAVPROGRESS. SAVSCAN. SCANNINGPROCESS. SDHELP. SDRA64. SHSTAT. SITECLI. SPBBCSVC. SPHINX. SPIDERCPL. SPIDERML. SPIDERNT. SPIDERUI. SPYBOTSD. SPYXX. SS3EDIT. STOPSIGNAV. SWAGENT. SWDOCTOR. SWNETSUP. SYMLCSVC. SYMPROXYSVC. SYMSPORT. SYMWSC. SYNMGR. TAUMON. TBMON. TMLISTEN. TMNTSRV. TMPFW. TMPROXY. TNBUTIL. TRJSCAN. UP2DATE. VBA32ECM. VBA32IFS. VBA32LDR. VBA32PP3. VBSNTW. VCRMON. VPTRAY. VRFWSVC. VRMONNT. VRMONSVC. VRRW32. VSECOMR. VSHWIN32. VSMON. VSSERV. VSSTAT. WATCHDOG. WEBSCANX. WEBTRAP. WGFE95. WINAW32. WINROUTE. WINSS. WINSSNOTIFY. WRCTRL. XCOMMSVR. ZAUINST ZLCLIENT ZONEALARM Modifies Windows settingsVirus:Win32/Sality.gen!AT modifies certain Windows settings, such as the following:
  • Disables Windows Registry Editor:
  • Sets value: "DisableRegistryTools"
    With data: "1"Under subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
  • Modifies the registry to prevent viewing files with hidden attributes:
    Sets value: "Hidden"
    With data: "2"
    Under subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer

  • Lowers computer securityVirus:Win32/Sality.gen!AT modifies the registry to bypass the Windows firewall.
    Sets value: "<virus file name>:*:enabled:ipsec"
    With data: "<virus file name>"
    Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List The virus modifies other registry data that lower the security of the infected computer. Virus:Win32/Sality.gen!AT modifies the following registry data to disable alerts from the Windows Security Center and Windows Firewall:
    Sets value: "AntiVirusOverride"
    with data: "1"
    Under subkey: HKLM\SOFTWARE\Microsoft\Security Center
    Sets value: "AntiVirusOverride"
    with data: "1"
    Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets value: "AntiVirusDisableNotify"
    with data: "1"
    Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets value: "FirewallOverride"
    with data: "1"
    Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets value: "FirewallDisableNotify"
    with data: "1"
    Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets value "EnableFirewall"
    with data: "0"
    Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Downloads arbitrary filesVirus:Win32/Sality.gen!AT attempts to download files from remote servers to the local drive.

    Analysis by Francis Allan Tan Seng

    Last update 02 September 2010

     

    TOP