For Consumer

Virus Profile: W32/Sality.gen

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/5/2007
Date Added: 7/5/2007
Origin: N/A
Length: varies
Type: Virus
Subtype: Generic
DAT Required: 5068
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

    * Presence of the file(s) mentioned.
    * Presence of the registry key(s) mentioned.
    * Services listening on the network port(s) mentioned.
    * Executable files increase in size by 70 kilobytes.

Methods of Infection

W32/Sality.gen searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 70 KB.
   

Virus Characteristics

-------- Updated on Mar 31, 2011 -----

File Information -

  • MD5 - 1AD2D0B7F3B624642C093490FEFD2D78
  • SHA1 - CB89F2C40BEA99B4EE467466AA5903AAACEC7196

Aliases -

  • Comodo   - Virus.Win32.Sality.Gen
  • Microsoft - Virus:Win32/Sality.AM
  • Kaspersky - Virus.Win32.Sality.aa
  • Ikarus - Virus.Win32.Tanatos

Characteristics -

W32/Sality.gen is a parasitic virus that infects Win32 PE executable files.

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

  • %Windir%\System32\Drivers\[random].sys
  • %Systemdrive%\ymmj [Random name]
  • %Systemdrive%\autorun.inf

And drop the following files:

  • %Removable drive%\autorun.inf
  • %Removable drive%\[random name] [Executable]
  • %temp%\afkfjh.exe
  • %temp%\oamm.exe
  • %temp%\winxcups.exe

And drops an autorun.inf file into the root of all removable drives in an attempt to autorun an executable when the drive is accessed.
The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the virus file via the following command syntax.

  • ;mefFtacnh
  • [AutoRun]
  • ;
  • ;FYuN  idnGjn
  • shElL\opEn\COmmand = [random name] [Executable]
  • ;lBkOgxsSfEkPaYK epsnJ
  • shell\oPEn\DefaULT=1
  • ;
  • sHell\exPLorE\COmmand =[random name] [Executable]
  • ;
  • open =[random name] [Executable]
  • ;
  • shell\autopLAy\commanD =[random name] [Executable]

The following registry Keys has been added.

  • HKLM\SOFTWARE\Microsoft\Security Center\Svc
  • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5
  • HKEY_CURRENT_USER\Software\ S-1-5-[varies]\{%UserName%}914

The following registry Values have been added.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abp470n5\ImagePath = "\??\%Windir%\System32\drivers\[random].sys"

It may also modify system configuration via the following registry key(s).

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List %userprofile%\Desktop\MS05-049_W2K.EXE: "%userprofile%\Desktop\MS05-049_W2K.EXE:*:Enabled:ipsec"

The Following registry entry confirms that the Virus prevents the users to view the hidden files.

  • HKEY_CURRENT_USER \S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden = 0x00000002

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

Sality is known to create the following Mutex' on the system:

  • Op1mutx9

It connects to the following sites to get user credentials and other information.

  • musi[removed].sk
  • mace[removed].my1.ru
  • [removed].jre.net.cn
  • musi[removed].wz.cz
  • [removed].mail.ru
  • gotcha.[removed].info
  • pe[removed].fm.interia.pl
  • 724h[removed].com
  • blue[removed]s.com
  • yavuz[removed].ya.funpic.de
  • ce[removed].com
  • d.mx.mail.y[removed].com
  • mx1.y[removed].ru

(Where %UserName% is the Windows logged in user ID)
[%RemovableDrive% = Removable drive inserted into the system, %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), %Systemdrive% = where the operating system installed, %userprofile% = C:\Documents and Settings\Administrator, %temp% = C:\Documents and Settings\Administrator\Local Settings\Temp]

----------------------------------------------------

W32/Sality.gen is a parasitic virus that infects Win32 PE executable files.

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

    * %Windir%\System32\Drivers\{random}.sys

It follows to create the following registry key(s):

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
    * HKEY_CURRENT_USER\Software\{%UserName%}914

It may also modify system configuration via the following registry key(s):

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List
    * SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

(Where %UserName% is the Windows logged in user ID)

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:

    * WINDOWS
    * SYSTEM
    * SYSTEM32

It can also drop a copy of itself as asc3360pr.scr, asc3360pr.pif or asc3360pr.exe onto the following Windows drive types and creates an Autorun.inf to auto-execute itself:

    * Unknown drive type (Type 0)
    * Removable media (Type 2) - e.g. USB drives.
    * Remote network drive (Type 4) - e.g. shared folders.

Services containing the following strings may be removed:

    * Agnitum Client Security Service
    * ALG
    * aswUpdSv
    * avast! Antivirus
    * avast! Mail Scanner
    * avast! Web ScannerAVP
    * BackWeb Plug-in - 4476822
    * bdss
    * BGLiveSvc
    * BlackICE
    * CAISafe
    * ccEvtMgr
    * ccProxy
    * ccSetMgr
    * Eset Service
    * F-Prot Antivirus Update Monitor
    * fsbwsys
    * FSDFWD
    * F-Secure Gatekeeper Handler Starter
    * fshttps
    * FSMA
    * InoRPC
    * InoRT
    * InoTask
    * ISSVC
    * KPF4
    * LavasoftFirewall
    * LIVESRV
    * McAfeeFramework
    * McShield
    * McTaskManager
    * navapsvc
    * NOD32krn
    * NPFMntor
    * NSCService
    * Outpost Firewall main module
    * OutpostFirewall
    * PAVFIRES
    * PAVFNSVR
    * PavProt
    * PavPrSrv
    * PAVSRV
    * PcCtlCom
    * PersonalFirewal
    * PREVSRV
    * ProtoPort Firewall service
    * PSIMSVC
    * RapApp
    * SmcService
    * SNDSrvc
    * SPBBCSvc
    * Symantec Core LC
    * Tmntsrv
    * TmPfw
    * tmproxy
    * UmxAgent
    * UmxCfg
    * UmxLU
    * UmxPol
    * vsmon
    * VSSERV
    * WebrootDesktopFirewallDataService
    * WebrootFirewall
    * XCOMM

It may also search and delete files containing the following extension(s) or string(s) in the filename:

    * .vdb
    * .key
    * .avc

Sality is known to create the following Mutex' on the system:

  • Op1mutx
  • Ap1mutx7
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95