Virus.Win32.Sality.gen

by alexander.adamov on April 27th, 2012 in Malware Descriptions.

Detect: Virus.Win32.Sality.gen
Platform: Win32
Type:  Virus
Size: The virus body size varies depending on a version
Packer: The archived document is of unknown file type
Language: C++ 

Summary

It is a malicious program which infects files on the PC.

Technical Details

Payload

Once launched, the malware creates unique identifiers with the following names: "Op1mutx9", "uxJLpe1m", "Ap1mutx7" to control the uniqueness of its process. For the infected file, it creates objects represented in the memory with the following names:

purity_control_<numeric_index>

The malware then creates a copy of its original process in a separate thread. It changes the following OS settings:

  • Disable display of  hidden files by adding the following parameter to the system registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"Hidden"=dword:00000002

  • Disable the Task Manager and ability to edit the system registry by modifying the following parameters of the system registry:

[HKСU\Software\Microsoft\Windows\CurrentVersion\Policies\system]

"DisableRegistryTools"=dword:00000001

"DisableTaskMgr"=dword:00000001

  • Set an option for the default browser to be launched in the “on-line” mode by adding the following information to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"GlobalUserOffline"=dword:00000000

  • Disable UAC (User Account Control) by setting the “EnableLUA” parameter to “0”:

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]

  • Change the Security Center settings to disable all notifications and components of the center and setting the following parameter values of the system registry keys:

[HKLM\Software\Microsoft\Security Center]

"FirstRunDisabled"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\Software\Microsoft\Security Center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

  • Add itself to the exception list in the Windows Firewall by saving the following parameter in the registry key:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"< original_malware_file_path >"="<original_malware_file_path>:*:Enabled:ipsec"

In addition, the malware disables the Windows Firewall:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=dword:00000000

"DoNotAllowExceptions"=dword:00000000

"DisableNotifications"=dword:00000001

Depending on a user’s name, it generates a sub-section registry key name, for example "Asgyubgxsigxe". If a name is less than 2 characters long, the malware adds a "monga_bonga" string. Then, it adds the following registry keys where it keeps service information:

[HKCU\Software\<encrypted_user_name>\<random_number>]

[HKCU\Software\< encrypted_user_name >]

"A<X>_<Z>"="rnd"

where

X – decimal;

Z – number from 0 to 903;

rnd – random numbers.

Then, it search for the following file:

%WinDir%\system.ini

and adds the following record to it:

[MCIDRV_VER]

DEVICEMB=<random_number>

The malware then extracts from its body a file which it saves with a random name to the system catalog:

%System%\drivers\<rnd2>.sys

where rnd2 are random lowercase letters of the Latin alphabet, for example "knlphj" or "mgpgjg". Depending on the malware version, an extracted driver is run as services with the following names:

asc3360pr

amsint32

Then, the malware cyclically performs the following actions in separate threads:

  • Disables the safe mode on start up by deleting the "AlternateShell" parameter in the registry key:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

In addition, it removes key with all subkeys and parameters:

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]

  • Deletes files with the "exe" and "rar" extensions from the current user's Windows temporary folder:

%Temp%\

  • Tries to load files from the following URLs:

http://89.119.67.154/testo5/?<rnd>=<rnd1>

http://kukutrustnet777.info/home.gif?<rnd>=<rnd1>

http://kukutrustnet888.info/home.gif?<rnd>=<rnd1>

http://kukutrustnet987.info/home.gif?<rnd>=<rnd1>

http://www.kjwre9fqwieluoi.info/?<rnd>=<rnd1>

http://pelcpawel.fm.interia.pl/logos.gif

http://chicostara.com/logof.gif

http://suewyllie.com/images/logos.gif

http://dewpoint-eg.com/images/logosa.gif

http://www.ceylanogullari.com/logof.gif

http://www.bluecubecreatives.com/logos.gif

http://724hizmetgrup.com/images/logosa.gif

http://yavuztuncil.ya.funpic.de/images/logos.gif

http://cevatpasa.com/images/logos.gif

http://173.193.19.14/logo.gif

http://sagocugenc.sa.funpic.de/images/logos.gif

http://www.eleonuccorini.com/images/logos.gif

http://www.cityofangelsmagazine.com/images/logos.gif

http://www.21yybuyukanadolu.com/images/logos.gif

http://yucelcavdar.com/logos_s.gif

http://www.luster-adv.com/gallery/Fusion/images/logos.gif

where rnd is a random alpha-numeric sequence;

rnd1 is a random numeric sequence.

If the loading process is successful, files are saved with the following names:

%Temp%\<rnd>.exe

%Temp%\win<rnd>.exe

where rnd are 4 random letters of the Latin alphabet. The each file is launch for execution.

  • Add/removes services with the following names:

AVP

Agnitum Client Security Service

ALG

Amon monitor

aswUpdSv

aswMon2

aswRdr

aswSP

aswTdi

aswFsBlk

acssrv

AV Engine

avast! iAVS4 Control Service

avast! Antivirus

avast! Mail Scanner

avast! Web Scanner

avast! Asynchronous Virus Monitor

avast! Self Protection

AVG E-mail Scanner

Avira AntiVir Premium Guard

Avira AntiVir Premium WebGuard

Avira AntiVir Premium MailGuard

BackWebPlug-in-4476822

bdss

BGLiveSvc

BlackICE

CAISafe

ccEvtMgr

ccProxy

ccSetMgr

COMODO Firewall Pro Sandbox Driver

cmdGuard

cmdAgent

Eset Service

Eset HTTP Server

Eset Personal Firewall

F-Prot Antivirus Update Monitor

fsbwsys

FSDFWD

F-Secure Gatekeeper Handler Starter

FSMA

Google Online Services

InoRPC


InoRT

InoTask

ISSVC

KPF4

KLIF

LavasoftFirewall

LIVESRV

McAfeeFramework

McShield

McTaskManager

MpsSvc

navapsvc

NOD32krn

NPFMntor

NSCService

Outpost Firewall main module

OutpostFirewall

PAVFIRES

PAVFNSVR

PavProt

PavPrSrv

PAVSRV

PcCtlCom

PersonalFirewal

PREVSRV

ProtoPort Firewall service

PSIMSVC

RapApp

SharedAccess

SmcService

SNDSrvc

SPBBCSvc

SpIDer FS Monitor for Windows NT

SpIDer Guard File System Monitor

SPIDERNT

Symantec Core LC

Symantec Password Validation

Symantec AntiVirus Definition Watcher

SavRoam

Symantec AntiVirus

Tmntsrv

TmPfw

UmxAgent

UmxCfg

UmxLU

UmxPol

vsmon

VSSERV

WebrootDesktopFirewallDataService

WebrootFirewall

wscsvc

XCOMM

  • Ends processes containing the following strings in the names:

_AVPM.

A2GUARD.

AAVSHIELD.

AVAST

ADVCHK.

AHNSD.

AIRDEFENSE

ALERTSVC

ALOGSERV

ALSVC.

AMON.

ANTI-TROJAN.

AVZ.

ANTIVIR

APVXDWIN.

ARMOR2NET.

ASHAVAST.

ASHDISP.

ASHENHCD.

ASHMAISV.

ASHPOPWZ.

ASHSERV.

ASHSIMPL.

ASHSKPCK.

ASHWEBSV.

ASWUPDSV.

ATCON.

ATUPDATER.

ATWATCH.

AVCIMAN.

AVCONSOL.

AVENGINE.

AVESVC.

AVGAMSVR.

AVGCC.

AVGCC32.

AVGCTRL.

AVGEMC.

AVGFWSRV.

AVGNT.

AVGNTDD

AVGNTMGR

AVGSERV.

AVGUARD.

AVGUPSVC.

AVINITNT.

AVKSERV.

AVKSERVICE.

AVKWCTL.

AVP.

AVP32.

AVPCC.

AVPM.

AVAST

AVSERVER.

AVSCHED32.

AVSYNMGR.

AVWUPD32.

AVWUPSRV.

AVXMONITOR9X.

AVXMONITORNT.

AVXQUAR.

BDMCON.

BDNEWS.

BDSUBMIT.

BDSWITCH.

BLACKD.

BLACKICE.

CAFIX.

CCAPP.

CCEVTMGR.

CCPROXY.

CCSETMGR.

CFIAUDIT.

CLAMTRAY.

CLAMWIN.

CLAW95.

CUREIT

DEFWATCH.

DRVIRUS.

DRWADINS.

DRWEB32W.

DRWEBSCD.

DRWEBUPW.

DWEBLLIO

DWEBIO

ESCANH95.

ESCANHNT.

EWIDOCTRL.

EZANTIVIRUSREGISTRATIONCHECK.

F-AGNT95.

FAMEH32.

FILEMON

FIRESVC.

FIRETRAY.

FIREWALL.

FPAVUPDM.

F-PROT95.

FRESHCLAM.

EKRN.

FSAV32.

FSAVGUI.

FSBWSYS.

F-SCHED.

FSDFWD.

FSGK32.

FSGK32ST.

FSGUIEXE.

FSMA32.

FSMB32.

FSPEX.

FSSM32.

F-STOPW.

GCASDTSERV.

GCASSERV.

GIANTANTISPYWAREMAIN.

GIANTANTISPYWAREUPDATER.

GUARDGUI.

GUARDNT.

HREGMON.

HRRES.

HSOCKPE.

HUPDATE.

IAMAPP.

IAMSERV.

ICLOAD95.

ICLOADNT.

ICMON.

ICSSUPPNT.

ICSUPP95.

ICSUPPNT.

IFACE.

INETUPD.

INOCIT.

INORPC.

INORT.

INOTASK.

INOUPTNG.

IOMON98.

ISAFE.

ISATRAY.

ISRV95.

ISSVC.

KAV.

KAVMM.

KAVPF.

KAVPFW.

KAVSTART.

KAVSVC.

KAVSVCUI.

KMAILMON.

KPFWSVC.

MCAGENT.

MCMNHDLR.

MCREGWIZ.

MCUPDATE.

MCVSSHLD.

MINILOG.

MYAGTSVC.

MYAGTTRY.

NAVAPSVC.

NAVAPW32.

NAVLU32.

NAVW32.

NEOWATCHLOG.

NEOWATCHTRAY.

NISSERV

NISUM.

NMAIN.

NOD32

NORMIST.

NOTSTART.

NPAVTRAY.

NPFMNTOR.

NPFMSG.

NPROTECT.

NSCHED32.

NSMDTR.

NSSSERV.

NSSTRAY.

NTRTSCAN.

NTOS.

NTXCONFIG.

NUPGRADE.

NVCOD.

NVCTE.

NVCUT.

NWSERVICE.

OFCPFWSVC.

OUTPOST

OP_MON.

PAVFIRES.

PAVFNSVR.

PAVKRE.

PAVPROT.

PAVPROXY.

PAVPRSRV.

PAVSRV51.

PAVSS.

PCCGUIDE.

PCCIOMON.

PCCNTMON.

PCCPFW.

PCCTLCOM.

PCTAV.

PERSFW.

PERTSK.

PERVAC.

PNMSRV.

POP3TRAP.

POPROXY.

PREVSRV. 

Q/p style=HM32.

QHONLINE.

QHONSVC.

QHPF.

QHWSCSVC.

RAVMON.

RAVTIMER.

AVGNT

AVCENTER.

RFWMAIN.

RTVSCAN.

RTVSCN95.

RULAUNCH.

SALITY

SAVADMINSERVICE.

SAVMAIN.

SAVPROGRESS.

SAVSCAN.

SCANNINGPROCESS.

CUREIT

SDHELP.

SHSTAT.

SITECLI.

SPBBCSVC.

SPHINX.

SPIDERCPL.

SPIDERML.

SPIDERNT.

SPIDERUI.

SPYBOTSD.

SPYXX.

SS3EDIT.

STOPSIGNAV.

SWAGENT.

SWDOCTOR.

SWNETSUP.

SYMLCSVC.

SYMPROXYSVC.

SYMSPORT.

SYMWSC.

SYNMGR.

TAUMON.

TBMON.

AVAST

TFAK.

THAV.

THSM.

TMAS.

TMLISTEN.

TMNTSRV.

TMPFW.

TMPROXY.

TNBUTIL.

TRJSCAN.

UP2DATE.

VBA32ECM.

VBA32IFS.

VBA32LDR.

VBA32PP3.

VBSNTW.

VCHK.

VCRMON.

VETTRAY.

VIRUSKEEPER.

VPTRAY.

VRFWSVC.

VRMONNT.

VRMONSVC.

VRRW32.

VSECOMR.

VSHWIN32.

VSMON.

VSSERV.

VSSTAT.

WATCHDOG.

WEBPROXY.

WEBSCANX.

WEBTRAP.

WGFE95.

WINAW32.

WINROUTE.

WINSS.

WINSSNOTIFY.

WRCTRL.

XCOMMSVR.

ZAUINST

ZLCLIENT

ZONEALARM

  • Search for windows with the following text: "dr.web", "cureit" and ends the process of creating these windows.
  • Search for files with the following extensions: "VDB", "KEY", "AVC", "drw" and deletes them.

Using the extracted driver, the malware blocks requests to servers which contain the following strings in the addresses:

upload_virus

sality-remov

virusinfo.

cureit.

drweb.

onlinescan.

spywareinfo.

ewido.

virusscan.

windowsecurity.

spywareguide.

bitdefender.

pandasoftware.

agnitum.

virustotal.

sophos.

trendmicro.

etrust.com

symantec.

mcafee.

f-secure.

eset.com

kaspersky

File Infection

The malware infects Windows (PE-EXE) executable files with the following extensions:

EXE

SCR

The virus does not infect files which size is in the range of 512 – 20971520 bytes. Only files containing the following sections in the PE-section are infected:

TEXT

UPX

CODE

During infection, the virus expands the last section of the PE file and writes its body to the end of the section. A search for files to be infected is performed in all parts of the hard drive. Once an infected file is launched, the malware copies its original not infected body to the created temporary folder with the following name:

%Temp%\<rnd>__Rar\<name of executable file>.exe

Autorun

To run its original file, the malware creates a hidden file in the root of all logic drives:

<X>:\autorun.inf

where it saves commands to run a malware file. Opening a logical drive in Windows Explorer auto runs the malware.

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it:

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the processes.
  2. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  3. Delete the registry key (How to Work with System Registry): 

    [HKCU\Software\<rnd5>]

  4. where rnd5 are random letters of the Latin alphabet.
  5. Delete parameters in the registry keys (How to Work with System Registry):
  6. [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

     "Hidden"=dword:00000002

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]font-size: x-small;

    "< path_to_original_malware_file>"="<path_to_original_malware_file>:*:Enabled:ipsec"

    [HKСU\Software\Microsoft\Windows\CurrentVersion\Policies\system]

    "DisableRegistryTools"=dword:00000001

    "DisableTaskMgr"=dword:00000001

  7. Set “0” value in the registry keys (How to Work with System Registry):
  8. [HKLM\Software\Microsoft\Security Center]

    "FirstRunDisabled"=dword:00000001

    "AntiVirusDisableNotify"=dword:00000001

    "FirewallDisableNotify"=dword:00000001

    "UpdatesDisableNotify"=dword:00000001

    "AntiVirusOverride"=dword:00000001

    "FirewallOverride"=dword:00000001

    "UacDisableNotify"=dword:00000001 

    [HKLM\Software\Microsoft\Security Center\Svc]

    "AntiVirusOverride"=dword:00000001

    "AntiVirusDisableNotify"=dword:00000001

    "FirewallDisableNotify"=dword:00000001

    "FirewallOverride"=dword:00000001

    "UpdatesDisableNotify"=dword:00000001

    "UacDisableNotify"=dword:00000001 

  9. Enable UAC (User Account Control), if required:
  10. [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]

    "EnableLUA" = dword:00000001

  11. Restore performance for the services ended by the malware.
  12. Clean up the catalog content:
  13. %Temp%\

  14. Delete files:
  15. <X>:\autorun.inf

    where <X> - a letter for a logical drive.

  16. Restore the Windows Firewall, if required.