&Follow SJoin OnSugar
Go to this website to let you know when a computer virus is on the loose.

Email |
|

Virus.Win32.Sality.ag

Tue, 04/13/2010 - 3:23AM by Omega1 0 Comments -

Technical Details

This malicious program infects files on the victim computer. It is designed to download and launch other malicious programs on the victim computer without the user’s knowledge or consent. It is a Windows PE EXE file. It is written in C++.

Installation

When launching, the malicious program extracts a file from its body and saves it to the Windows system catalog under a random name:

%System%\drivers\<rnd>.sys

with <rnd> being a random sequence of Latin uppercase letters, such as "INDSNN". The file is a kernel mode driver of 5157 bytes. It is detected by Kaspersky Anti-Virus as Virus.Win32.Sality.ag.

The extracted driver is installed and launched in the system as a service called "amsint32".

Propagation

The malicious program infects Windows PE-EXE files with the following extensions:

EXE 
SCR

Only those files that contain the following sections in the PE header are infected:

TEXT
UPX
CODE

When it infects the PE file, the virus extends the last section in the file and copies its own body to the end of the section. The virus searches all hard disk partitions for files to infect. When an infected file is launched, the malicious program copies the body of the original clean file into a temporary folder created with the following name:

%Temp%\__Rar\.exe

To ensure the malicious program’s file launches automatically, it copies itself to all logical disks under random names with extensions chosen randomly from the following list:

.exe
.pif.
.cmd

The virus also creates a hidden file in the root folders of these disks:

:\autorun.inf

where the command to launch the malicious file is stored. Upon opening a logical disk in Windows Explorer the malicious program launches.

Payload

Once launched, the malicious program creates a unique identifier called "Ap1mutx7" in order to flag its presence in the system.

It attempts to download files from the following links:

http://sagocugenc.sa.funpic.de/images/logos.gif
http://www.eleonuccorini.com/images/logos.gif
http://www.cityofangelsmagazine.com/images/logos.gif
http://www.21yybuyukanadolu.com/images/logos.gif
http://yucelcavdar.com/logos_s.gif
http://www.luster-adv.com/gallery/Fusion/images/logos.gif
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/

The downloaded files are saved to the %Temp% folder and executed.

At the time of writing, the virus downloaded the following malicious programs from the above links:

Backdoor.Win32.Mazben.ah
Backdoor.Win32.Mazben.ax
Trojan.Win32.Agent.didu 

All of these malicious programs were designed to distribute spam.

Apart from downloading files, the virus can modify a range of parameters in the operating system, including the following:

  • disable Task Manager and prevent editing of the system registry by modifying the following registry parameters:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001
  • modify the settings of the Windows Security Center by creating the following registry key parameters:
    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UacDisableNotify"=dword:00000001
    

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001
  • ensure that hidden files are not displayed by adding the following parameter to the system registry:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced]
    "Hidden"=dword:00000002
  • It also installs options so the default browser always launches in online mode, adding the following to the system registry:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "GlobalUserOffline"=dword:00000000
  • The program disables UAC (User Account Control) by setting the registry key parameter "EnableLUA" to “0”:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA"=dword:00000000

    It adds itself to the Windows firewall as an application allowed to access the network. To do so, it saves the following parameter in the registry key:

    [HKLM\System\CurrentControlSet\Services\SharedAccess\
    Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "<the path to the virus’s original file>"
    = "<the path to the virus’s original file>:*:Enabled:ipsec"
  • Then it creates registry keys in which it stores its operational data:
    HKCU\Software\<rnd>

    where <rnd> - is an arbitrary value.

  • Then the malicious program searches for a file called
    %WinDir%\system.ini

    and adds the following record to it:

    [MCIDRV_VER]
    DEVICEMB=509102504668 (any arbitrary number)
  • It deletes the following registry keys, making it impossible to boot the infected computer in Safe Mode:
    HKLM\System\CurrentControlSet\Control\SafeBoot
    HKCU\System\CurrentControlSet\Control\SafeBoot 

    Deletes *.exe and *.rar files from the current user’s temporary folder:

    %Temp%\

    Searches for files with the following extensions and deletes them:

    "VDB", "KEY", "AVC", "drw"
  • The malicious program uses the driver it has extracted to block all references to domains with URLs containing the following strings:
    upload_virus
    sality-remov
    virusinfo.
    cureit.
    drweb.
    onlinescan.
    spywareinfo.
    ewido.
    virusscan.
    windowsecurity. s
    pywareguide.
    bitdefender.
    pandasoftware.
    agnmitum.
    virustotal.
    sophos.
    trendmicro.
    etrust.com
    symantec.
    mcafee.
    f-secure.
    eset.com
    kaspersky
    
  • The program terminates and deletes the following services:
    Agnitum Client Security Service
    ALG Amon monitor
     aswUpdSv    
    aswMon2 
    aswRdr  
    aswSP   
    aswTdi  
    aswFsBlk    
    acssrv  
    AV Engine   
    avast! iAVS4 
    Control Service    
    avast! Antivirus    
    avast! Mail Scanner 
    avast! Web Scanner  
    avast! Asynchronous Virus Monitor   
    avast! Self Protection  
    AVG E-mail Scanner  
    Avira AntiVir Premium Guard 
    Avira AntiVir Premium WebGuard  
    Avira AntiVir Premium MailGuard 
    avp1    
    BackWeb Plug-in - 4476822   
    bdss    
    BGLiveSvc   
    BlackICE    
    CAISafe 
    ccEvtMgr    
    ccProxy 
    ccSetMgr    
    COMODO Firewall Pro Sandbox Driver  
    cmdGuard    
    cmdAgent    
    Eset Service    
    Eset HTTP Server    
    Eset Personal Firewall  
    F-Prot Antivirus Update Monitor 
    fsbwsys 
    FSDFWD  
    F-Secure Gatekeeper Handler Starter 
    FSMA    
    Google Online Services  
    InoRPC  
    InoRT  
     InoTask 
    ISSVC   
    KPF4   
    KLIF    
    LavasoftFirewall    
    LIVESRV 
    McAfeeFramework 
    McShield    
    McTaskManager   
    navapsvc    
    NOD32krn    
    NPFMntor    
    NSCService  
    Outpost Firewall main module    
    OutpostFirewall 
    PAVFIRES    
    PAVFNSVR    
    PavProt PavPrSrv    
    PAVSRV  
    PcCtlCom    
    PersonalFirewal 
    PREVSRV 
    ProtoPort Firewall service  
    PSIMSVC 
    RapApp  
    SmcService  
    SNDSrvc 
    SPBBCSvc    
    SpIDer FS Monitor for Windows NT    
    SpIDer Guard File System Monitor    
    SPIDERNT    
    Symantec Core LC    
    Symantec Password Validation    
    Symantec AntiVirus Definition Watcher   
    SavRoam 
    Symantec AntiVirus  
    Tmntsrv 
    TmPfw  
    tmproxy 
    tcpsr   
    UmxAgent    
    UmxCfg  
    UmxLU   
    UmxPol  
    vsmon   
    VSSERV  
    WebrootDesktopFirewallDataService   
    WebrootFirewall 
    XCOMM   
    AVP 
    

The virus also attempts to terminate the processes of various antivirus programs and popular antivirus utilities.

Removal instructions

If your computer does not have an up-to-date antivirus program, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version). It may be impossible to delete the malicious program manually: most probably, it has infected a large number of executable files on your computer, all of which require treatment. You can also use the free SalityKiller tool to treat the virus.
  2. Restore the following registry keys as required:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA" = dword:00000000

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000001
    "UacDisableNotify"=dword:00000001

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusDisableNotify"=dword:00000000
    "AntiVirusOverride"=dword:00000000
    "FirewallDisableNotify"=dword:00000000
    "FirewallOverride"=dword:00000000
    "UacDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden"=dword:00000002

  3. Delete the following registry keys as required:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableRegistryTools"
    "DisableTaskMgr"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings] "GlobalUserOffline"

  4. Delete the contents of the %Temp% folder.



Post A Comment

To post comments, please log in or register.

About Me

Omega1's picture

Latest Headlines

    Latest Comments

      Latest Headlines