Home / malware Win32.Sality.2.OE
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Sality.2.OE is also known as Trojan.Win32.Pakes.bxp, Win32/Tanatos.L, Win32.Sality.PB, W32.Sality-27.
Explanation :
The virus is a polymorphic file infector which modifies executable files by appending its encrypted body at the end of the files.
To reach its code, the virus replaces the code at the entry point with a polymorphic sequence holding the decription routine.
write to %windir%system.ini:
[MCIDRV_VER]
DEVICEMB=541021816060
The virus will modify / create the following registry keys:
HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList -> %path_to_virus%<virus_name>.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline -> 0
HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemEnableLUA -> 0
The virus hides itself from being detected by dropping a rootkit at %windir%system32drivers<random name>.sys
It will try to find and stop processes and services known to be from antivirus programs, based on a name list previously known.
Send user information and other informations to some previously known ip addresses, like:
IP=189.[removed].176
IP=249.[removed].228
IP=201.[removed].171
IP=86.[removed].84
IP=200.[removed].62
IP=89.[removed].154
IP=217.[removed].141
etc.
The virus will access the following websites to download aditional malware:
http://[removed]/images/logoh.gif
http://[removed]/images/logos.gif
http://89.[removed].194/tratata5/
http://[removed]_SOSiTEEE.haha
http://89.[removed].154/testo5/
http://[removed].co.kr/picassa.dat
http://[removed].info/home.gif
http://[removed].info/Last update 21 November 2011