English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Virus.Win32.Sality.bh

Detected Dec 03 2010 13:41 GMT
Released Jul 23 2012 13:59 GMT
Published Dec 03 2010 13:41 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program infects files on the victim machine. It is designed to allow unauthorized users to download and launch other malware on the machine. It is a Windows PE EXE file. It is written in C++. It is 70,656 bytes in size. It is packed with an unknown packer. The unpacked file is approximately 574 KB in size.


Payload

The Trojan copies its body to all write-accessible networks and to logical and removable disks under a random name, randomly choosing a file extension from “.exe”, “.pif” or “.cmd”.

<X>:\<rnd>.
where <X> is the drive letter of the infected disk and <rnd> is a string of random Latin letters. The Trojan also places the following file in the root directory of the disk:
<X>:\autorun.inf
This file launches the Trojan executable each time the user opens an infected disk using Explorer.

It ascribes “hidden” and “read only” attributes to copies of the Trojan body and its autorun file.

It infects Windows PE EXE executable files with the following extensions: .EXE, .SCR

It does not infect files smaller than 4,096 bytes or larger than 20,971,520 bytes in size. It infects only files containing the PE header sections:

TEXT
UPX
CODE
Upon infection, the virus expands the last section in the PE file and appends its body.

The virus searches all hard disk partitions and write-accessible network resources for files to infect.

Installation

To ensure uniqueness of its process in the system, the Trojan creates a unique identifier:

uxJLpe1m
  • It suppresses the display of hidden files by adding the following value to the registry key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000002
    
  • It disables the Windows Task Manager and Registry Editor by creating the following registry key values:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableTaskMgr" = "1"
    "DisableRegistryTools" = "1"
    
  • It alters the configuration of the Windows Security Center by modifying the following registry key values:
    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride" = "1"
    "AntiVirusDisableNotify" = "1"
    "FirewallDisableNotify" = "1"
    "FirewallOverride" = "1"
    "UpdatesDisableNotify" = "1"
    "UacDisableNotify" = "1"
    
    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusDisableNotify" = "1"
    "FirewallDisableNotify" = "1"
    "FirewallOverride" = "1"
    "UpdatesDisableNotify" = "1"
    "UacDisableNotify" = "1"
    
  • It configures the default system browser to launch in on-line mode.
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "GlobalUserOffline" = "0"
    
  • It disables User Account Control (a component that requests confirmation for actions that require administrator privileges):
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA" = "0"
    
  • It adds its original file to the list of applications trusted by Windows Firewall by creating the following registry key value:
    [HKLM\System\CurrentControlSet\Services\SharedAccess\
    Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "" = ":*:Enabled:ipsec"
    
  • Disables Windows Firewall:
    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
    Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = "1"
    "DoNotAllowExceptions" = "0"
    "EnableFirewall" = "0"
    
  • Disables booting in safe mode by the operating system by deleting all related registry key parameters:
    [HKLM\System\CurrentControlSet\Control\SafeBoot]
    [HKCU\System\CurrentControlSet\Control\SafeBoot]
    
  • Deletes files with the “exe” or “rar” extensions from the current user’s Windows temporary folder:
    %Temp%
  • Creates a registry key to store its working information:
    [HKCU\Software\Abfx\-1001785200]
    "1953719668"=dword:00000079
    "-387527960"=dword:00000000
    "1566191708"=dword:00000000
    "-775055920"=dword:00000023
    "1178663748"=dword:00000183
    "-1162583880"="0A00687474703A2F2F63696B6D61796564
    656B70617263612E636F6D2F696D616765732F6C6F676F73
    2E67696600687474703A2F2F6272756365676172726F642E
    636F6D2F696D616765732F6C6F676F732E67696600687474
    703A2F2F6362626173696D6576692E636F6D2F696D616765
    732F6C6F676F732E67696600687474703A2F2F6272616E64
    616F656D61746F732E636F6D2E62722F696D616765732F6C
    6F676F692E67696600687474703A2F2F6361676C61727465
    6B6E696B2E636F6D2F6C6F676F732E67696600687474703A
    2F2F6268617261746973616E676C692E696E2F6C6F676F69
    2E67696600687474703A2F2F636163732E6F72672E62722F
    6E6F766F736974652F6C6F676F732E67696600687474703A
    2F2F62757461636D2E676F2E726F2F6C6F676F732E676966
    00687474703A2F2F626F7961626174656D6C2E6B31322E74
    722F696D616765732F6C6F676F732E67696600687474703A
    2F2F636173627967726F75702E636F6D2F696D616765732F6
    C6F676F732E676966"
    "791135788"="8D047AF7229C9B8962BA0482D99D368E2F27
    DA435BE2A7386A33EDC80BF5E291731E9D01A5491DAF960D
    9F12BEF04EC6593B061C5B93136EC6BFEC34C08A20B0C1FA
    17DCC2BD245ECA59601A83B2A1E4EA6D8C1E0D407E7C349
    01CE485312CA99533EF94DBD09BAC13BC887C7B5FA8BD18
    3F0B60FDAC439D9A828FBE91ABBD7D"
    
    [HKCU\Software\914]
    
  • Sets a flag in the victim machine by adding records to the system file:
    %WinDir%\system.ini
    It adds the following string:
    [MCIDRV_VER]
    DEVICEMB=<rnd2>
    
    where <rnd2> is a random number.
  • It extracts the following file from its body:
    %System%\drivers\fljojo.sys
    The file is 5,157 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.KillAV.ftk.

    It creates a service “amsint32” to launch the extracted file:

    amsint32
    This file deletes itself after execution.

    The extracted file is designed to block Internet resources and contains the following strings:

    upload_virus
    sality-remov
    virusinfo.
    cureit.
    drweb.
    onlinescan.
    spywareinfo.
    ewido.
    virusscan.
    windowsecurity.
    spywareguide.
    bitdefender.
    pandasoftware.
    agnmitum.
    virustotal.
    sophos.
    trendmicro.
    etrust.com
    symantec.
    mcafee.
    f-secure.
    eset.com
    kaspersky
    
  • It stops and kills the following services:
    AVP
    Agnitum Client Security Service
    ALG
    Amon monitor
    aswUpdSv
    aswMon2
    aswRdr
    aswSP
    aswTdi
    aswFsBlk
    acssrv
    AV Engine
    avast! iAVS4 Control Service
    avast! Antivirus
    avast! Mail Scanner
    avast! Web Scanner
    avast! Asynchronous Virus Monitor
    avast! Self Protection
    AVG E-mail Scanner
    Avira AntiVir Premium Guard
    Avira AntiVir Premium WebGuard
    Avira AntiVir Premium MailGuard
    BGLiveSvc
    BlackICE
    CAISafe
    ccEvtMgr
    ccProxy
    ccSetMgr
    COMODO Firewall Pro Sandbox Driver
    cmdGuard
    cmdAgent
    Eset Service
    Eset HTTP Server
    Eset Personal Firewall
    F-Prot Antivirus Update Monitor
    fsbwsys
    FSDFWD
    F-Secure Gatekeeper Handler Starter
    FSMA
    Google Online Services
    InoRPC
    InoRT
    InoTask
    ISSVC
    KPF4
    KLIF
    LavasoftFirewall
    LIVESRV
    McAfeeFramework
    McShield
    McTaskManager
    MpsSvc
    navapsvc
    NOD32krn
    NPFMntor
    NSCService
    Outpost Firewall main module
    OutpostFirewall
    PAVFIRES
    PAVFNSVR
    PavProt PavPrSrv
    PAVSRV
    PcCtlCom
    PersonalFirewal
    PREVSRV
    ProtoPort Firewall service
    PSIMSVC
    RapApp
    SharedAccess
    SmcService
    SNDSrvc
    SPBBCSvc
    SpIDer FS Monitor for Windows NT
    SpIDer Guard File System Monitor
    SPIDERNT
    Symantec Core LC
    Symantec Password Validation
    Symantec AntiVirus Definition Watcher
    SavRoam
    Symantec AntiVirus
    Tmntsrv
    TmPfw
    UmxAgent
    UmxCfg
    UmxLU
    UmxPol
    vsmon
    VSSERV
    WebrootDesktopFirewallDataService
    WebrootFirewall
    wscsvc
    XCOMM
    
  • It downloads files from the following URLs:
    http://cik***dekparca.com/images/logos.gif<rnd3>=<rnd4>
    http://bru***arrod.com/images/logos.gif<rnd3>=<rnd4>
    http://cbb***evi.com/images/logos.gif<rnd3>=<rnd4>
    http://bra***atos.com.br/images/logoi.gif<rnd3>=<rnd4>
    http://cag***knik.com/logos.gif<rnd3>=<rnd4>
    http://bh***sangli.in/logoi.gif<rnd3>=<rnd4>
    http://cac***rg.br/novosite/logos.gif<rnd3>=<rnd4>
    http://bu***m.go.ro/logos.gif<rnd3>=<rnd4>
    http://boy***teml.k12.tr/images/logos.gif<rnd3>=<rnd4>
    http://cas***oup.com/images/logos.gif<rnd3>=<rnd4>
    
    Where <rnd3> is a random string of numbers and letters, <rnd4> is a random string of numbers.

    It saves the infected files to the current user’s Windows temporary folder using random names.

    %Temp%\win<rnd5>.exe
    where <rnd5> consists of 4 random Latin letters. The saved files are then launched for execution.

    At the time of writing these links were inactive.
  • The virus terminates the following processes:
    AVPM.
    A2GUARD
    A2CMD.
    A2SERVICE.
    A2FREE
    AVAST
    ADVCHK.
    AGB.
    AKRNL.
    AHPROCMONSERVER.
    AIRDEFENSE
    ALERTSVC
    AVIRA
    AMON.
    TROJAN.
    AVZ.
    ANTIVIR
    APVXDWIN.
    ARMOR2NET.
    ASHAVAST.
    ASHDISP.
    ASHENHCD.
    ASHMAISV.
    ASHPOPWZ.
    ASHSERV.
    ASHSIMPL.
    ASHSKPCK.
    ASHWEBSV.
    ASWUPDSV.
    ASWSCAN
    AVCIMAN.
    AVCONSOL.
    AVENGINE.
    AVESVC.
    AVEVAL.
    AVEVL32.
    AVGAM
    AVGCC.AVGCHSVX.
    AVGCSRVX.
    AVGNSX.
    AVGCC32.
    AVGCTRL.
    AVGEMC.
    AVGFWSRV.
    AVGNT.
    AVCENTER
    AVGNTMGR
    AVGSERV.
    AVGTRAY.
    AVGUARD.
    AVGUPSVC.
    AVGWDSVC.
    AVINITNT.
    AVKSERV.
    AVKSERVICE.
    AVKWCTL.
    AVP.
    AVP32.
    AVPCC.
    AVAST
    AVSERVER.
    AVSCHED32.
    AVSYNMGR.
    AVWUPD32.
    AVWUPSRV.
    AVXMONITOR
    AVXQUAR.
    BDSWITCH.
    BLACKD.
    BLACKICE.
    CAFIX.
    BITDEFENDER
    CCEVTMGR.
    CFP.
    CFPCONFIG.
    CCSETMGR.
    CFIAUDIT.
    CLAMTRAY.
    CLAMWIN.
    CUREIT
    DEFWATCH.
    DRVIRUS.
    DRWADINS.
    DRWEB
    DEFENDERDAEMON
    DWEBLLIO
    DWEBIO
    ESCANH95.
    ESCANHNT.
    EWIDOCTRL.
    EZANTIVIRUSREGISTRATIONCHECK.
    F-AGNT95.
    FAMEH32.
    FILEMON
    FIREWALL
    FORTICLIENT
    FORTITRAY.
    FORTISCAN
    FPAVSERVER.
    FPROTTRAY.
    FPWIN.
    FRESHCLAM.
    EKRN.
    FSAV32.
    FSAVGUI.
    FSBWSYS.
    F-SCHED.
    FSDFWD.
    FSGK32.
    FSGK32ST.
    FSGUIEXE.
    FSMA32.
    FSMB32.
    FSPEX.
    FSSM32.
    F-STOPW.
    GCASDTSERV.
    GCASSERV.
    GIANTANTISPYWARE
    GUARDGUI.
    GUARDNT.
    GUARDXSERVICE.
    GUARDXKICKOFF.
    HREGMON.
    HRRES.
    HSOCKPE.
    HUPDATE.
    IAMAPP.
    IAMSERV.
    ICLOAD95.
    ICLOADNT.
    ICMON.
    ICSSUPPNT.
    ICSUPP95.
    ICSUPPNT.
    IPTRAY.
    INETUPD.
    INOCIT.
    INORPC.
    INORT.
    INOTASK.
    INOUPTNG.
    IOMON98.
    ISAFE.
    ISATRAY.
    KAV.
    KAVMM.
    KAVPF.
    KAVPFW.
    KAVSTART.
    KAVSVC.
    KAVSVCUI.
    KMAILMON.
    MAMUTU
    MCAGENT.
    MCMNHDLR.
    MCREGWIZ.
    MCUPDATE.
    MCVSSHLD.
    MINILOG.
    MYAGTSVC.
    MYAGTTRY.
    NAVAPSVC.
    NAVAPW32.
    NAVLU32.
    NAVW32.
    NEOWATCHLOG.
    NEOWATCHTRAY.
    NISSERV
    NISUM.
    NMAIN.
    NOD32
    NORMIST.
    NOTSTART.
    NPAVTRAY.
    NPFMNTOR.
    NPFMSG.
    NPROTECT.
    NSCHED32.
    NSMDTR.
    NSSSERV.
    NSSTRAY.
    NTRTSCAN.
    NTOS.
    NTXCONFIG.
    NUPGRADE.
    NVCOD.
    NVCTE.
    NVCUT.
    NWSERVICE.
    OFCPFWSVC.
    OUTPOST
    ONLINENT.
    OPSSVC.
    OP_MON.
    PAVFIRES.
    PAVFNSVR.
    PAVKRE.
    PAVPROT.
    PAVPROXY.
    PAVPRSRV.
    PAVSRV51.
    PAVSS.
    PCCGUIDE.
    PCCIOMON.
    PCCNTMON.
    PCCPFW.
    PCCTLCOM.
    PCTAV.
    PERSFW.
    PERTSK.
    PERVAC.
    PESTPATROL
    PNMSRV.
    PREVSRV.
    PREVX
    PSIMSVC.
    QUHLPSVC.
    QHONLINE.
    QHONSVC.
    QHWSCSVC.
    QHSET.
    RFWMAIN.
    RTVSCAN.
    RTVSCN95.
    SALITY
    SAPISSVC.
    SCANWSCS.
    SAVADMINSERVICE.
    SAVMAIN.
    SAVPROGRESS.
    SAVSCAN.
    SCANNINGPROCESS.
    SDRA64.
    SDHELP.
    SHSTAT.
    SITECLI.
    SPBBCSVC.
    SPHINX.
    SPIDERCPL.
    SPIDERML.
    SPIDERNT.
    SPIDERUI.
    SPYBOTSD.
    SPYXX.
    SS3EDIT.
    STOPSIGNAV.
    SWAGENT.
    SWDOCTOR.
    SWNETSUP.
    SYMLCSVC.
    SYMPROXYSVC.
    SYMSPORT.
    SYMWSC.
    SYNMGR.
    TAUMON.
    TBMON.
    TMLISTEN.
    TMNTSRV.
    TMPROXY.
    TNBUTIL.
    TRJSCAN.
    VBA32ECM.
    VBA32IFS.
    VBA32LDR.
    VBA32PP3.
    VBSNTW.
    VCRMON.
    VPTRAY.
    VRFWSVC.
    VRMONNT.
    VRMONSVC.
    VRRW32.
    VSECOMR.
    VSHWIN32.
    VSMON.
    VSSERV.
    VSSTAT.
    WATCHDOG.
    WEBSCANX.
    WINSSNOTIFY.
    WRCTRL.
    XCOMMSVR.
    ZLCLIENT
    ZONEALARM
  • The virus searches for files with extensions “.drw”, “.VDB”, “.AVC” and deletes them.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  • Update your antivirus databases and perform a full scan of the computer (Download a trial version of Kaspersky Anti-Virus). Attempting to remove the virus manually is pointless, since it has already infected a large number of executables on the computer in all probability, and all of these require to be cured. To cure the virus, you can also use the free utility (SalityKiller).
  • Delete the following system registry key values (see What is a system registry and how do I use it for details on how to edit the registry).
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableTaskMgr" = "1"
    "DisableRegistryTools" = "1"
    
  • If necessary, restore the following system registry key values:
    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride" = "1"
    "AntiVirusDisableNotify" = "1"
    "FirewallDisableNotify" = "1"
    "FirewallOverride" = "1"
    "UpdatesDisableNotify" = "1"
    "UacDisableNotify" = "1"
    
    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusDisableNotify" = "1"
    "FirewallDisableNotify" = "1"
    "FirewallOverride" = "1"
    "UpdatesDisableNotify" = "1"
    "UacDisableNotify" = "1"
    
    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
    Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = "1"
    "DoNotAllowExceptions" = "0"
    "EnableFirewall" = "0"
    


Bookmark and Share
Share
Virus

Viruses replicate on the resources of the local machine.

Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:

  • when infecting accessible disks, a virus penetrates a file located on a network resource
  • a virus copies itself to a removable storage device or infects a file on a removable device
  • a user sends an email with an infected attachment.

Aliases

Virus.Win32.Sality.bh (Kaspersky Lab) is also known as:

  • Virus.Win32.Sality.gen (Kaspersky Lab)
  • Trojan.Win32.Vilsel.bmhb (Kaspersky Lab)
  • Trojan.Win32.Inject.efry (Kaspersky Lab)
  • Virus.Win32.Sality.gen (Kaspersky Lab)
  • Worm.Win32.AutoRun.hvp (Kaspersky Lab)
  • W32.SillyFDC.35916 (Symantec)
  • W32.Gosys.53591 (Symantec)
  • W32.Sality.AE.39765 (Symantec)
  • W32.Sality.AE.39765 (Symantec)
  • Mal/Sality-D (Sophos)
  • W32.Sality-65 (ClamAV)
  • BC.Heuristic.Trojan.SusPacked.BF-6.B (ClamAV)
  • W32.Virut.Gen.D-50 (ClamAV)
  • W32/Sality.aa (Panda)
  • Trj/Banker.FWD (Panda)
  • Worm:Win32/Brontok.GA@mm (MS(OneCare))
  • Worm:Win32/Autorun.TO (MS(OneCare))
  • Virus:Win32/Sality.AU (MS(OneCare))
  • Virus:Win32/Sality.AT (MS(OneCare))
  • Virus:Win32/Sality.AM (MS(OneCare))
  • Win32.Sector.5 (DrWeb)
  • Win32.Sality.3 (BitDef7)
  • Trojan.Agent.VB.BQB (BitDef7)
  • Trojan.Generic.6086965 (BitDef7)
  • Win32.Brontok.AP@mm (BitDef7)
  • Trojan.Agent.VB.BFR (BitDef7)
  • Win32.Sality.3 (BitDef7)
  • Win32.Sality.AM.Gen (VirusBuster)
  • Win32.Sality.BK (VirusBuster)
  • Win32.Sality.BL (VirusBuster)
  • Virus.Win32.Sality (Ikarus)
  • Virus.Win32.VB (Ikarus)
  • Email-Worm.Win32.Brontok (Ikarus)
  • Worm.Win32.Autorun (Ikarus)
  • Worm.Win32.VB (Ikarus)
  • Trojan.Win32.Ircbrute (Ikarus)
  • Trojan.Win32.VB (Ikarus)
  • Win32/Sality (AVG)
  • Worm/VB.13.AT (AVG)
  • VB.3.E (AVG)
  • Win32/Sality (AVG)
  • W32/Sality.Y (AVIRA)
  • W32/Sality.AT (AVIRA)
  • W32/Sality.BD (Norman)
  • W32/Sality.BM (Norman)
  • Worm.VB.AU (Rising)
  • Worm.Win32.FakeFolder.ar (Rising)
  • Worm.Win32.AutoRun.smu (Rising)
  • Trojan.Win32.VBCode.fqq (Rising)
  • Win32.Sality.3 [Aquarius] (FSecure)
  • Trojan.Generic.6086965 [Aquarius] (FSecure)
  • Trojan.Agent.VB.BQB [Aquarius] (FSecure)
  • Win32.Brontok.AP@mm [Aquarius] (FSecure)
  • Trojan.Agent.VB.BFR [Aquarius] (FSecure)
  • Win32.Sality.3 [Aquarius] (FSecure)
  • PE_SALITY.DAM-4 (TrendMicro)
  • PE_SALITY.RL (TrendMicro)
  • Virus.Win32.Sality.at (v) (Sunbelt)
  • Virus.Win32.Sality.ah (v) (Sunbelt)
  • Win32.Sality.AM.Gen (VirusBusterBeta)
  • Win32.Sality.BK (VirusBusterBeta)
  • Win32.Sality.BL (VirusBusterBeta)
  • W32/Vb!tr (Fortinet)
  • W32/Brontok.B@mm (Fortinet)
  • W32/Virut.CE (Fortinet)
  • W32/AutoRun.BFQ!worm (Fortinet)
  • W32/Sality.BH (Fortinet)
  • W32/Sality.aa (Fortinet)
  • Win32.Sality.3 (GData)
  • Trojan.Generic.6086965 (GData)
  • Trojan.Agent.VB.BQB (GData)
  • Win32.Brontok.AP@mm (GData)
  • Trojan.Agent.VB.BFR (GData)
  • Win32.Sality.3 (GData)