Content

W32/Sality.ai

Type
Virus
SubType
Win32
Discovery Date
08/05/2008
Length
Varies
Minimum DAT
5354 (08/05/2008)
Updated DAT
5359 (08/12/2008)
Minimum Engine
5.2.00
Description Added
08/05/2008
Description Modified
08/06/2008 2:01 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Sality.ai is a parasitic virus that infects Win32 PE executable files.

Upon execution, this file infector listens on an UDP port and drops the following file:

%System%\drivers\{Random file name}.sys (Terminates security applications)
(Note: %System% is the Windows system folder, e.g. C:\Windows\System32 or C:\WINNT\System32)


It then creates/modifies the following registry keys/entries:

  • HKEY_CURRENT_USER\Software\{User Name}914
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
    ImagePath = "%System%\drivers\{Random file name}.sys"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableRegistryTools: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced


To make recovery difficult for the victim, it deletes the following registry keys/entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    AlternateShell = "cmd.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network


This file infector adds the following entries in the SYSTEM.INI file:

  • [MCIDRV_VER]
    DEVICEMB={Random numbers}

 

It scans the following registry key to check for the existence of registry subkeys related to antivirus and security applications:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

If found, it deletes the said subkeys. Affected registry subkeys which may be deleted to disable security applications are as follows:

  • _AVPM
  • A2GUARD
  • AAVSHIELD
  • AVAST
  • ADVCHK
    ...
  • WRCTRL
  • XCOMMSVR
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM


It infects files (*.exe and *.scr files on the local, network and removable drives except for the file names containing the strings of WINDOWS, SYSTEM or SYSTEM32) by overwriting some code in the entry point and save the overwritten code in the virus body. It then appends the virus body to the host file.


This file infector terminates the following services, if found on the system:

  • aswUpdSv
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
    ...
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM


It may download additional malware from the folllowing site(s):

  • http://89.119.67.{removed}/testo5
  • http://kukutrustnet777.{removed}
  • http://kukutrustnet888.{removed}
  • http://kukutrustnet987.{removed}
  • http://www.klkjwre9fqwieluoi.{removed}

Symptoms

Presence of the file(s) mentioned.
Presence of the registry key(s) mentioned.
Services listening on the network port(s) mentioned.
Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

W32/Sality.ai searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal

Use the latest Engine/Dats

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

W32/Sality.ai is a parasitic virus that infects Win32 PE executable files.

Upon execution, this file infector listens on an UDP port and drops the following file:

%System%\drivers\{Random file name}.sys (Terminates security applications)
(Note: %System% is the Windows system folder, e.g. C:\Windows\System32 or C:\WINNT\System32)


It then creates/modifies the following registry keys/entries:

  • HKEY_CURRENT_USER\Software\{User Name}914
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
    ImagePath = "%System%\drivers\{Random file name}.sys"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableRegistryTools: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced


To make recovery difficult for the victim, it deletes the following registry keys/entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    AlternateShell = "cmd.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network


This file infector adds the following entries in the SYSTEM.INI file:

  • [MCIDRV_VER]
    DEVICEMB={Random numbers}

 

It scans the following registry key to check for the existence of registry subkeys related to antivirus and security applications:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

If found, it deletes the said subkeys. Affected registry subkeys which may be deleted to disable security applications are as follows:

  • _AVPM
  • A2GUARD
  • AAVSHIELD
  • AVAST
  • ADVCHK
    ...
  • WRCTRL
  • XCOMMSVR
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM


It infects files (*.exe and *.scr files on the local, network and removable drives except for the file names containing the strings of WINDOWS, SYSTEM or SYSTEM32) by overwriting some code in the entry point and save the overwritten code in the virus body. It then appends the virus body to the host file.


This file infector terminates the following services, if found on the system:

  • aswUpdSv
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
    ...
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM


It may download additional malware from the folllowing site(s):

  • http://89.119.67.{removed}/testo5
  • http://kukutrustnet777.{removed}
  • http://kukutrustnet888.{removed}
  • http://kukutrustnet987.{removed}
  • http://www.klkjwre9fqwieluoi.{removed}

Symptoms

Symptoms -

Presence of the file(s) mentioned.
Presence of the registry key(s) mentioned.
Services listening on the network port(s) mentioned.
Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

Method of Infection -

W32/Sality.ai searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal -

Removal -

Use the latest Engine/Dats

Variants

Variants -

    N/A