Internet threat level: 1
Follow us on
Home→Descriptions→Virus.Win32.Sality.ag
Virus.Win32.Sality.ag
| Detected | Apr 07 2010 08:21 GMT |
| Released | Apr 08 2010 09:40 GMT |
| Published | Apr 08 2010 13:13 GMT |
Technical Details
Payload
Removal instructions
Payload
Removal instructions
Technical Details
This malicious program infects files on the victim computer. It is designed to download and launch other malicious programs on the victim computer without the user’s knowledge or consent. It is a Windows PE EXE file. It is written in C++.
Installation
When launching, the malicious program extracts a file from its body and saves it to the Windows system catalog under a random name:
%System%\drivers\<rnd>.syswith <rnd> being a random sequence of Latin uppercase letters, such as "INDSNN". The file is a kernel mode driver of 5157 bytes. It is detected by Kaspersky Anti-Virus as Virus.Win32.Sality.ag.
The extracted driver is installed and launched in the system as a service called "amsint32".
Propagation
The malicious program infects Windows PE-EXE files with the following extensions:
EXE SCROnly those files that contain the following sections in the PE header are infected:
TEXT UPX CODEWhen it infects the PE file, the virus extends the last section in the file and copies its own body to the end of the section. The virus searches all hard disk partitions for files to infect. When an infected file is launched, the malicious program copies the body of the original clean file into a temporary folder created with the following name:
%Temp%\__Rar\To ensure the malicious program’s file launches automatically, it copies itself to all logical disks under random names with extensions chosen randomly from the following list:.exe
.exe .pif. .cmdThe virus also creates a hidden file in the root folders of these disks:
:\autorun.infwhere the command to launch the malicious file is stored. Upon opening a logical disk in Windows Explorer the malicious program launches.
Payload
Once launched, the malicious program creates a unique identifier called "Ap1mutx7" in order to flag its presence in the system.
It attempts to download files from the following links:http://*******nc.sa.funpic.de/images/logos.gif http://www.*********ccorini.com/images/logos.gif http://www.********gelsmagazine.com/images/logos.gif http://www.********ukanadolu.com/images/logos.gif http://******vdar.com/logos_s.gif http://www.****r-adv.com/gallery/Fusion/images/logos.gif http://********67.154/testo5/ http://*********stnet777.info/home.gif http://*******stnet888.info/home.gif http://***********net987.info/home.gif http://www.**********wieluoi.info/ http://**********et777888.info/ http://********7638dfqwieuoi888.info/The downloaded files are saved to the %Temp% folder and executed.
At the time of writing, the virus downloaded the following malicious programs from the above links:
Backdoor.Win32.Mazben.ah Backdoor.Win32.Mazben.ax Trojan.Win32.Agent.diduAll of these malicious programs were designed to distribute spam.
Apart from downloading files, the virus can modify a range of parameters in the operating system, including the following:
- disable Task Manager and prevent editing of the system registry by modifying the following registry parameters:
[HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools"=dword:00000001
"DisableTaskMgr"=dword:00000001
- modify the settings of the Windows Security Center by creating the following registry key parameters:
[HKLM\SOFTWARE\Microsoft\Security Center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 - ensure that hidden files are not displayed by adding the following parameter to the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
"Hidden"=dword:00000002 - It also installs options so the default browser always launches in online mode, adding the following to the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline"=dword:00000000 - The program disables UAC (User Account Control) by setting the registry key parameter "EnableLUA" to “0”:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]It adds itself to the Windows firewall as an application allowed to access the network. To do so, it saves the following parameter in the registry key:
"EnableLUA"=dword:00000000[HKLM\System\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"<the path to the virus’s original file>"
= "<the path to the virus’s original file>:*:Enabled:ipsec"
- Then it creates registry keys in which it stores its operational data:
HKCU\Software\<rnd>
where <rnd> - is an arbitrary value. - Then the malicious program searches for a file called
%WinDir%\system.ini
and adds the following record to it:[MCIDRV_VER] DEVICEMB=509102504668 (any arbitrary number)
- It deletes the following registry keys, making it impossible to boot the infected computer in Safe Mode:
HKLM\System\CurrentControlSet\Control\SafeBoot HKCU\System\CurrentControlSet\Control\SafeBoot
Deletes *.exe and *.rar files from the current user’s temporary folder:%Temp%\
Searches for files with the following extensions and deletes them:"VDB", "KEY", "AVC", "drw"
- The malicious program uses the driver it has extracted to block all references to domains with URLs containing the following strings:
upload_virus sality-remov virusinfo. cureit. drweb. onlinescan. spywareinfo. ewido. virusscan. windowsecurity. s pywareguide. bitdefender. pandasoftware. agnmitum. virustotal. sophos. trendmicro. etrust.com symantec. mcafee. f-secure. eset.com kaspersky
- The program terminates and deletes the following services:
Agnitum Client Security Service ALG Amon monitor aswUpdSv aswMon2 aswRdr aswSP aswTdi aswFsBlk acssrv AV Engine avast! iAVS4 Control Service avast! Antivirus avast! Mail Scanner avast! Web Scanner avast! Asynchronous Virus Monitor avast! Self Protection AVG E-mail Scanner Avira AntiVir Premium Guard Avira AntiVir Premium WebGuard Avira AntiVir Premium MailGuard avp1 BackWeb Plug-in - 4476822 bdss BGLiveSvc BlackICE CAISafe ccEvtMgr ccProxy ccSetMgr COMODO Firewall Pro Sandbox Driver cmdGuard cmdAgent Eset Service Eset HTTP Server Eset Personal Firewall F-Prot Antivirus Update Monitor fsbwsys FSDFWD F-Secure Gatekeeper Handler Starter FSMA Google Online Services InoRPC InoRT InoTask ISSVC KPF4 KLIF LavasoftFirewall LIVESRV McAfeeFramework McShield McTaskManager navapsvc NOD32krn NPFMntor NSCService Outpost Firewall main module OutpostFirewall PAVFIRES PAVFNSVR PavProt PavPrSrv PAVSRV PcCtlCom PersonalFirewal PREVSRV ProtoPort Firewall service PSIMSVC RapApp SmcService SNDSrvc SPBBCSvc SpIDer FS Monitor for Windows NT SpIDer Guard File System Monitor SPIDERNT Symantec Core LC Symantec Password Validation Symantec AntiVirus Definition Watcher SavRoam Symantec AntiVirus Tmntsrv TmPfw tmproxy tcpsr UmxAgent UmxCfg UmxLU UmxPol vsmon VSSERV WebrootDesktopFirewallDataService WebrootFirewall XCOMM AVP
The virus also attempts to terminate the processes of various antivirus programs and popular antivirus utilities.
Removal instructions
If your computer does not have an up-to-date antivirus program, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version). It may be impossible to delete the malicious program manually: most probably, it has infected a large number of executable files on your computer, all of which require treatment. You can also use the free SalityKiller tool to treat the virus.
- Restore the following registry keys as required:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = dword:00000000
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UacDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden"=dword:00000002 - Delete the following registry keys as required:
[HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools"
"DisableTaskMgr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings] "GlobalUserOffline"
- Delete the contents of the %Temp% folder.
Virus
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:
- when infecting accessible disks, a virus penetrates a file located on a network resource
- a virus copies itself to a removable storage device or infects a file on a removable device
- a user sends an email with an infected attachment.
Aliases
Virus.
- Trojan.
Win32. Vilsel. vyz (Kaspersky Lab) - W32/Sality.
aa (Panda) - Virus:
Win32/Sality. AT (MS(OneCare)) - Win32/Sality.
NBA virus (Nod32) - Win32.
Sality. 3 (BitDef7) - Win32.
Sality. BK (VirusBuster) - W32/Sality.
AG (AVIRA) - W32/Sality.
BD (Norman) - Virus.
Win32. Sality. ag [AVP] (FSecure) - PE_SALITY.
BA (TrendMicro) - Virus.
Win32. Sality. at (v) (Sunbelt) - Win32.
Sality. BK (VirusBusterBeta)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.