Win32/Sality [Threat Name] go to Threat

Win32/Sality.NAR [Threat Variant Name]

Category virus
Detection created Jul 14, 2008
Signature database version 10688
Aliases Virus.Win32.Sality.aa (Kaspersky)
  Virus:Win32/Sality.AM (Microsoft)
  W32/Sality.ah (McAfee)
Short description

Win32/Sality.NAR is a polymorphic file infector.

Installation

When executed the virus drops in folder %system%\drivers\ the following file:

  • %variable%.sys (5509 B)

%variable% represents a random text.


The following files are dropped into the %temp% folder:

  • %variableA%.exe (7680 B)
  • %variableB%.exe (8192 B)

%variableA%, %variableB% represent random text. The files are then executed.


The virus registers itself as a system service using the following name:

  • IPFILTERDRIVER

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­%username%914]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%filename%" = "%filename%:*:Enabled:ipsec"

The performed command creates an exception in the Windows Firewall.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­system]
    • "EnableLUA" = 0

The following Registry entries are deleted:

  • [HKEY_USERS\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Stats]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Stats]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Stats]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects]
  • [HKEY_CURRENT_USER\­System\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot]
Executable file infection

Win32/Sality.NAR is a polymorphic file infector.


The virus searches local and network drives for files with one of the following extensions:

  • .exe

Files are infected by adding a new section that contains the virus . The host file is modified in a way that causes the virus to be executed prior to running the original code. The virus infects files referenced by the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

This causes the virus to be executed on every system start.

Spreading on removable media

The virus copies itself into the root folders of removable drives using a random filename.


The filename has one of the following extensions:

  • .exe
  • .pif
  • .cmd

The following file is dropped in the same folder:

  • autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The following files are deleted:

  • *.vdb
  • *.avc
  • *drw*.key

The following services are disabled:

  • Agnitum Client Security Service
  • ALG
  • aswUpdSv
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • BackWeb Plug-in - 4476822
  • bdss
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • Eset Service
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • fshttps
  • FSMA
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KPF4
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • Tmntsrv
  • TmPfw
  • tmproxy
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM
  • AVP

The virus terminates processes with any of the following strings in the name:

  • _AVPM.
  • A2GUARD.
  • AAVSHIELD.
  • AVAST
  • ADVCHK.
  • AHNSD.
  • AIRDEFENSE
  • ALERTSVC
  • ALMON.
  • ALOGSERV
  • ALSVC.
  • AMON.
  • ANTI-TROJAN.
  • AVZ.
  • ANTIVIR
  • ANTS.
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWUPDSV.
  • ATCON.
  • ATUPDATER.
  • ATWATCH.
  • AUPDATE.
  • AUTODOWN.
  • AUTOTRACE.
  • AUTOUPDATE.
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVGAMSVR.
  • AVGCC.
  • AVGCC32.
  • AVGCTRL.
  • AVGEMC.
  • AVGFWSRV.
  • AVGNT.
  • AVGNTDD
  • AVGNTMGR
  • AVGSERV.
  • AVGUARD.
  • AVGUPSVC.
  • AVINITNT.
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVPM.
  • AVAST
  • AVSCHED32.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR9X.
  • AVXMONITORNT.
  • AVXQUAR.
  • BACKWEB-4476822.
  • BDMCON.
  • BDNEWS.
  • BDOESRV.
  • BDSS.
  • BDSUBMIT.
  • BDSWITCH.
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • CCAPP.
  • CCEVTMGR.
  • CCPROXY.
  • CCSETMGR.
  • CFIAUDIT.
  • CLAMTRAY.
  • CLAMWIN.
  • CLAW95.
  • CLAW95CF.
  • CLEANER.
  • CLEANER3.
  • CLISVC.
  • CMGRDIAN.
  • CUREIT
  • DEFWATCH.
  • DOORS.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB32W.
  • DRWEBSCD.
  • DRWEBUPW.
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FAST.
  • FCH32.
  • FILEMON
  • FIRESVC.
  • FIRETRAY.
  • FIREWALL.
  • FPAVUPDM.
  • F-PROT95.
  • FRESHCLAM.
  • EKRN.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • F-SCHED.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • EGUI.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWAREMAIN.
  • GIANTANTISPYWAREUPDATER.
  • GUARDGUI.
  • GUARDNT.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • IFACE.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • ISAFE.
  • ISATRAY.
  • ISRV95.
  • ISSVC.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • KPFWSVC.
  • KWATCH.
  • LOCKDOWN2000.
  • LOGWATNT.
  • LUALL.
  • LUCOMSERVER.
  • LUUPDATE.
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NOD32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTRTSCAN.
  • NTXCONFIG.
  • NUPGRADE.
  • NVC95.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • OUTPOST.
  • PAV.
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PNMSRV.
  • POP3TRAP.
  • POPROXY.
  • PREVSRV.
  • PSIMSVC.
  • QHM32.
  • QHONLINE.
  • QHONSVC.
  • QHPF.
  • QHWSCSVC.
  • RAVMON.
  • RAVTIMER.
  • REALMON.
  • REALMON95.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • RULAUNCH.
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCAN32.
  • SCANNINGPROCESS.
  • CUREIT.
  • SDHELP.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • SYMWSC.
  • SYNMGR.
  • TAUMON.
  • TBMON.
  • AVAST
  • TDS-3.
  • TEATIMER.
  • TFAK.
  • THAV.
  • THSM.
  • TMAS.
  • TMLISTEN.
  • TMNTSRV.
  • TMPFW.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • UP2DATE.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCHK.
  • VCRMON.
  • VETTRAY.
  • VIRUSKEEPER.
  • VPTRAY.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBPROXY.
  • WEBSCANX.
  • WEBTRAP.
  • WGFE95.
  • WINAW32.
  • WINROUTE.
  • WINSS.
  • WINSSNOTIFY.
  • WRADMIN.
  • WRCTRL.
  • XCOMMSVR.
  • ZATUTOR.
  • ZAUINST.
  • ZLCLIENT.
  • ZONEALARM.

The virus contains a list of URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­win%variable%.exe
  • %temp%\­%variable%.exe

%variable% represents a random text.


The files are then executed.


The virus creates and runs a new thread with its own program code within the following processes:

  • %system%\­notepad.exe
  • %system%\­winmine.exe

The virus modifies the following file:

  • SYSTEM.INI

The virus writes the following entries to the file:

  • [MCIDRV_VER]
    • DEVICEMB=%number%

The %number% represents a random number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.