Virus.Win32.Sality.bh

Technical Details
Payload
Removal instructions

Technical Details

This malicious program infects files on the victim machine. It is designed to allow unauthorized users to download and launch other malware on the machine. It is a Windows PE EXE file. It is written in C++. It is 70,656 bytes in size. It is packed with an unknown packer. The unpacked file is approximately 574 KB in size.

Payload

The Trojan copies its body to all write-accessible networks and to logical and removable disks under a random name, randomly choosing a file extension from “.exe”, “.pif” or “.cmd”.

<X>:\<rnd>.

where <X> is the drive letter of the infected disk and <rnd> is a string of random Latin letters. The Trojan also places the following file in the root directory of the disk:

<X>:\autorun.inf

This file launches the Trojan executable each time the user opens an infected disk using Explorer.

It ascribes “hidden” and “read only” attributes to copies of the Trojan body and its autorun file.

It infects Windows PE EXE executable files with the following extensions: .EXE, .SCR

It does not infect files smaller than 4,096 bytes or larger than 20,971,520 bytes in size. It infects only files containing the PE header sections:

TEXT
UPX
CODE

Upon infection, the virus expands the last section in the PE file and appends its body.

The virus searches all hard disk partitions and write-accessible network resources for files to infect.

Installation

To ensure uniqueness of its process in the system, the Trojan creates a unique identifier:

uxJLpe1m

• It suppresses the display of hidden files by adding the following value to the registry key:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "Hidden"=dword:00000002
  

• It disables the Windows Task Manager and Registry Editor by creating the following registry key values:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
  "DisableTaskMgr" = "1"
  "DisableRegistryTools" = "1"
  

• It alters the configuration of the Windows Security Center by modifying the following registry key values:

  [HKLM\SOFTWARE\Microsoft\Security Center]
  "AntiVirusOverride" = "1"
  "AntiVirusDisableNotify" = "1"
  "FirewallDisableNotify" = "1"
  "FirewallOverride" = "1"
  "UpdatesDisableNotify" = "1"
  "UacDisableNotify" = "1"
  
  [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
  "AntiVirusDisableNotify" = "1"
  "FirewallDisableNotify" = "1"
  "FirewallOverride" = "1"
  "UpdatesDisableNotify" = "1"
  "UacDisableNotify" = "1"
  

• It configures the default system browser to launch in on-line mode.

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "GlobalUserOffline" = "0"
  

• It disables User Account Control (a component that requests confirmation for actions that require administrator privileges):

  [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
  "EnableLUA" = "0"
  

• It adds its original file to the list of applications trusted by Windows Firewall by creating the following registry key value:

  [HKLM\System\CurrentControlSet\Services\SharedAccess\
  Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "" = ":*:Enabled:ipsec"
  

• Disables Windows Firewall:

  [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
  Parameters\FirewallPolicy\StandardProfile]
  "DisableNotifications" = "1"
  "DoNotAllowExceptions" = "0"
  "EnableFirewall" = "0"
  

• Disables booting in safe mode by the operating system by deleting all related registry key parameters:

  [HKLM\System\CurrentControlSet\Control\SafeBoot]
  [HKCU\System\CurrentControlSet\Control\SafeBoot]
  

• Deletes files with the “exe” or “rar” extensions from the current user’s Windows temporary folder:

  %Temp%

• Creates a registry key to store its working information:

  [HKCU\Software\Abfx\-1001785200]
  "1953719668"=dword:00000079
  "-387527960"=dword:00000000
  "1566191708"=dword:00000000
  "-775055920"=dword:00000023
  "1178663748"=dword:00000183
  "-1162583880"="0A00687474703A2F2F63696B6D61796564
  656B70617263612E636F6D2F696D616765732F6C6F676F73
  2E67696600687474703A2F2F6272756365676172726F642E
  636F6D2F696D616765732F6C6F676F732E67696600687474
  703A2F2F6362626173696D6576692E636F6D2F696D616765
  732F6C6F676F732E67696600687474703A2F2F6272616E64
  616F656D61746F732E636F6D2E62722F696D616765732F6C
  6F676F692E67696600687474703A2F2F6361676C61727465
  6B6E696B2E636F6D2F6C6F676F732E67696600687474703A
  2F2F6268617261746973616E676C692E696E2F6C6F676F69
  2E67696600687474703A2F2F636163732E6F72672E62722F
  6E6F766F736974652F6C6F676F732E67696600687474703A
  2F2F62757461636D2E676F2E726F2F6C6F676F732E676966
  00687474703A2F2F626F7961626174656D6C2E6B31322E74
  722F696D616765732F6C6F676F732E67696600687474703A
  2F2F636173627967726F75702E636F6D2F696D616765732F6
  C6F676F732E676966"
  "791135788"="8D047AF7229C9B8962BA0482D99D368E2F27
  DA435BE2A7386A33EDC80BF5E291731E9D01A5491DAF960D
  9F12BEF04EC6593B061C5B93136EC6BFEC34C08A20B0C1FA
  17DCC2BD245ECA59601A83B2A1E4EA6D8C1E0D407E7C349
  01CE485312CA99533EF94DBD09BAC13BC887C7B5FA8BD18
  3F0B60FDAC439D9A828FBE91ABBD7D"
  
  [HKCU\Software\914]
  

• Sets a flag in the victim machine by adding records to the system file:

  %WinDir%\system.ini
  It adds the following string:
  [MCIDRV_VER]
  DEVICEMB=<rnd2>
  

  where <rnd2> is a random number.
• It extracts the following file from its body:

  %System%\drivers\fljojo.sys

  The file is 5,157 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.KillAV.ftk.

  It creates a service “amsint32” to launch the extracted file:

  amsint32

  This file deletes itself after execution.

  The extracted file is designed to block Internet resources and contains the following strings:

  upload_virus
  sality-remov
  virusinfo.
  cureit.
  drweb.
  onlinescan.
  spywareinfo.
  ewido.
  virusscan.
  windowsecurity.
  spywareguide.
  bitdefender.
  pandasoftware.
  agnmitum.
  virustotal.
  sophos.
  trendmicro.
  etrust.com
  symantec.
  mcafee.
  f-secure.
  eset.com
  kaspersky
  

• It stops and kills the following services:

  AVP
  Agnitum Client Security Service
  ALG
  Amon monitor
  aswUpdSv
  aswMon2
  aswRdr
  aswSP
  aswTdi
  aswFsBlk
  acssrv
  AV Engine
  avast! iAVS4 Control Service
  avast! Antivirus
  avast! Mail Scanner
  avast! Web Scanner
  avast! Asynchronous Virus Monitor
  avast! Self Protection
  AVG E-mail Scanner
  Avira AntiVir Premium Guard
  Avira AntiVir Premium WebGuard
  Avira AntiVir Premium MailGuard
  BGLiveSvc
  BlackICE
  CAISafe
  ccEvtMgr
  ccProxy
  ccSetMgr
  COMODO Firewall Pro Sandbox Driver
  cmdGuard
  cmdAgent
  Eset Service
  Eset HTTP Server
  Eset Personal Firewall
  F-Prot Antivirus Update Monitor
  fsbwsys
  FSDFWD
  F-Secure Gatekeeper Handler Starter
  FSMA
  Google Online Services
  InoRPC
  InoRT
  InoTask
  ISSVC
  KPF4
  KLIF
  LavasoftFirewall
  LIVESRV
  McAfeeFramework
  McShield
  McTaskManager
  MpsSvc
  navapsvc
  NOD32krn
  NPFMntor
  NSCService
  Outpost Firewall main module
  OutpostFirewall
  PAVFIRES
  PAVFNSVR
  PavProt PavPrSrv
  PAVSRV
  PcCtlCom
  PersonalFirewal
  PREVSRV
  ProtoPort Firewall service
  PSIMSVC
  RapApp
  SharedAccess
  SmcService
  SNDSrvc
  SPBBCSvc
  SpIDer FS Monitor for Windows NT
  SpIDer Guard File System Monitor
  SPIDERNT
  Symantec Core LC
  Symantec Password Validation
  Symantec AntiVirus Definition Watcher
  SavRoam
  Symantec AntiVirus
  Tmntsrv
  TmPfw
  UmxAgent
  UmxCfg
  UmxLU
  UmxPol
  vsmon
  VSSERV
  WebrootDesktopFirewallDataService
  WebrootFirewall
  wscsvc
  XCOMM
  

• It downloads files from the following URLs:

  http://cik***dekparca.com/images/logos.gif<rnd3>=<rnd4>
  http://bru***arrod.com/images/logos.gif<rnd3>=<rnd4>
  http://cbb***evi.com/images/logos.gif<rnd3>=<rnd4>
  http://bra***atos.com.br/images/logoi.gif<rnd3>=<rnd4>
  http://cag***knik.com/logos.gif<rnd3>=<rnd4>
  http://bh***sangli.in/logoi.gif<rnd3>=<rnd4>
  http://cac***rg.br/novosite/logos.gif<rnd3>=<rnd4>
  http://bu***m.go.ro/logos.gif<rnd3>=<rnd4>
  http://boy***teml.k12.tr/images/logos.gif<rnd3>=<rnd4>
  http://cas***oup.com/images/logos.gif<rnd3>=<rnd4>
  

  Where <rnd3> is a random string of numbers and letters, <rnd4> is a random string of numbers.

  It saves the infected files to the current user’s Windows temporary folder using random names.

  %Temp%\win<rnd5>.exe

  where <rnd5> consists of 4 random Latin letters. The saved files are then launched for execution.
  At the time of writing these links were inactive.
• The virus terminates the following processes:

  AVPM.
  A2GUARD
  A2CMD.
  A2SERVICE.
  A2FREE
  AVAST
  ADVCHK.
  AGB.
  AKRNL.
  AHPROCMONSERVER.
  AIRDEFENSE
  ALERTSVC
  AVIRA
  AMON.
  TROJAN.
  AVZ.
  ANTIVIR
  APVXDWIN.
  ARMOR2NET.
  ASHAVAST.
  ASHDISP.
  ASHENHCD.
  ASHMAISV.
  ASHPOPWZ.
  ASHSERV.
  ASHSIMPL.
  ASHSKPCK.
  ASHWEBSV.
  ASWUPDSV.
  ASWSCAN
  AVCIMAN.
  AVCONSOL.
  AVENGINE.
  AVESVC.
  AVEVAL.
  AVEVL32.
  AVGAM
  AVGCC.AVGCHSVX.
  AVGCSRVX.
  AVGNSX.
  AVGCC32.
  AVGCTRL.
  AVGEMC.
  AVGFWSRV.
  AVGNT.
  AVCENTER
  AVGNTMGR
  AVGSERV.
  AVGTRAY.
  AVGUARD.
  AVGUPSVC.
  AVGWDSVC.
  AVINITNT.
  AVKSERV.
  AVKSERVICE.
  AVKWCTL.
  AVP.
  AVP32.
  AVPCC.
  AVAST
  AVSERVER.
  AVSCHED32.
  AVSYNMGR.
  AVWUPD32.
  AVWUPSRV.
  AVXMONITOR
  AVXQUAR.
  BDSWITCH.
  BLACKD.
  BLACKICE.
  CAFIX.
  BITDEFENDER
  CCEVTMGR.
  CFP.
  CFPCONFIG.
  CCSETMGR.
  CFIAUDIT.
  CLAMTRAY.
  CLAMWIN.
  CUREIT
  DEFWATCH.
  DRVIRUS.
  DRWADINS.
  DRWEB
  DEFENDERDAEMON
  DWEBLLIO
  DWEBIO
  ESCANH95.
  ESCANHNT.
  EWIDOCTRL.
  EZANTIVIRUSREGISTRATIONCHECK.
  F-AGNT95.
  FAMEH32.
  FILEMON
  FIREWALL
  FORTICLIENT
  FORTITRAY.
  FORTISCAN
  FPAVSERVER.
  FPROTTRAY.
  FPWIN.
  FRESHCLAM.
  EKRN.
  FSAV32.
  FSAVGUI.
  FSBWSYS.
  F-SCHED.
  FSDFWD.
  FSGK32.
  FSGK32ST.
  FSGUIEXE.
  FSMA32.
  FSMB32.
  FSPEX.
  FSSM32.
  F-STOPW.
  GCASDTSERV.
  GCASSERV.
  GIANTANTISPYWARE
  GUARDGUI.
  GUARDNT.
  GUARDXSERVICE.
  GUARDXKICKOFF.
  HREGMON.
  HRRES.
  HSOCKPE.
  HUPDATE.
  IAMAPP.
  IAMSERV.
  ICLOAD95.
  ICLOADNT.
  ICMON.
  ICSSUPPNT.
  ICSUPP95.
  ICSUPPNT.
  IPTRAY.
  INETUPD.
  INOCIT.
  INORPC.
  INORT.
  INOTASK.
  INOUPTNG.
  IOMON98.
  ISAFE.
  ISATRAY.
  KAV.
  KAVMM.
  KAVPF.
  KAVPFW.
  KAVSTART.
  KAVSVC.
  KAVSVCUI.
  KMAILMON.
  MAMUTU
  MCAGENT.
  MCMNHDLR.
  MCREGWIZ.
  MCUPDATE.
  MCVSSHLD.
  MINILOG.
  MYAGTSVC.
  MYAGTTRY.
  NAVAPSVC.
  NAVAPW32.
  NAVLU32.
  NAVW32.
  NEOWATCHLOG.
  NEOWATCHTRAY.
  NISSERV
  NISUM.
  NMAIN.
  NOD32
  NORMIST.
  NOTSTART.
  NPAVTRAY.
  NPFMNTOR.
  NPFMSG.
  NPROTECT.
  NSCHED32.
  NSMDTR.
  NSSSERV.
  NSSTRAY.
  NTRTSCAN.
  NTOS.
  NTXCONFIG.
  NUPGRADE.
  NVCOD.
  NVCTE.
  NVCUT.
  NWSERVICE.
  OFCPFWSVC.
  OUTPOST
  ONLINENT.
  OPSSVC.
  OP_MON.
  PAVFIRES.
  PAVFNSVR.
  PAVKRE.
  PAVPROT.
  PAVPROXY.
  PAVPRSRV.
  PAVSRV51.
  PAVSS.
  PCCGUIDE.
  PCCIOMON.
  PCCNTMON.
  PCCPFW.
  PCCTLCOM.
  PCTAV.
  PERSFW.
  PERTSK.
  PERVAC.
  PESTPATROL
  PNMSRV.
  PREVSRV.
  PREVX
  PSIMSVC.
  QUHLPSVC.
  QHONLINE.
  QHONSVC.
  QHWSCSVC.
  QHSET.
  RFWMAIN.
  RTVSCAN.
  RTVSCN95.
  SALITY
  SAPISSVC.
  SCANWSCS.
  SAVADMINSERVICE.
  SAVMAIN.
  SAVPROGRESS.
  SAVSCAN.
  SCANNINGPROCESS.
  SDRA64.
  SDHELP.
  SHSTAT.
  SITECLI.
  SPBBCSVC.
  SPHINX.
  SPIDERCPL.
  SPIDERML.
  SPIDERNT.
  SPIDERUI.
  SPYBOTSD.
  SPYXX.
  SS3EDIT.
  STOPSIGNAV.
  SWAGENT.
  SWDOCTOR.
  SWNETSUP.
  SYMLCSVC.
  SYMPROXYSVC.
  SYMSPORT.
  SYMWSC.
  SYNMGR.
  TAUMON.
  TBMON.
  TMLISTEN.
  TMNTSRV.
  TMPROXY.
  TNBUTIL.
  TRJSCAN.
  VBA32ECM.
  VBA32IFS.
  VBA32LDR.
  VBA32PP3.
  VBSNTW.
  VCRMON.
  VPTRAY.
  VRFWSVC.
  VRMONNT.
  VRMONSVC.
  VRRW32.
  VSECOMR.
  VSHWIN32.
  VSMON.
  VSSERV.
  VSSTAT.
  WATCHDOG.
  WEBSCANX.
  WINSSNOTIFY.
  WRCTRL.
  XCOMMSVR.
  ZLCLIENT
  ZONEALARM

• The virus searches for files with extensions “.drw”, “.VDB”, “.AVC” and deletes them.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

• Update your antivirus databases and perform a full scan of the computer (Download a trial version of Kaspersky Anti-Virus). Attempting to remove the virus manually is pointless, since it has already infected a large number of executables on the computer in all probability, and all of these require to be cured. To cure the virus, you can also use the free utility (SalityKiller).
• Delete the following system registry key values (see What is a system registry and how do I use it for details on how to edit the registry).

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
  "DisableTaskMgr" = "1"
  "DisableRegistryTools" = "1"
  

• If necessary, restore the following system registry key values:

  [HKLM\SOFTWARE\Microsoft\Security Center]
  "AntiVirusOverride" = "1"
  "AntiVirusDisableNotify" = "1"
  "FirewallDisableNotify" = "1"
  "FirewallOverride" = "1"
  "UpdatesDisableNotify" = "1"
  "UacDisableNotify" = "1"
  
  [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
  "AntiVirusDisableNotify" = "1"
  "FirewallDisableNotify" = "1"
  "FirewallOverride" = "1"
  "UpdatesDisableNotify" = "1"
  "UacDisableNotify" = "1"
  
  [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
  Parameters\FirewallPolicy\StandardProfile]
  "DisableNotifications" = "1"
  "DoNotAllowExceptions" = "0"
  "EnableFirewall" = "0"