Win32/Sality [Threat Name] go to Threat

Win32/Sality.NDR [Threat Variant Name]

Category virus
Detection created Dec 23, 2013
Detection database version 9208
Aliases Virus:Win32/Sality.AW (Microsoft)
  W32.Sality.AF (Symantec)
Short description

Win32/Sality.NDR is a polymorphic file infector.

Installation

When executed the virus drops in folder %system%\drivers\ the following file:

  • %variable%.sys

A string with variable content is used instead of %variable% .


The virus registers itself as a system service using the following name:

  • amsint32

The following files are dropped into the %temp% folder:

  • %variable%.exe

%variable% represent random text.


The file is then executed.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%infectedfilepath%" = "%infectedfilepath%:*:Enabled:ipsec"

The performed data entry creates an exception in the Windows Firewall program.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­system]
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
    • "DoNotAllowExceptions" = 0
    • "DisableNotifications" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ALG]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
    • "UacDisableNotify" = 1
    • "AntiSpywareOverride" = 1

The following Registry entries are deleted:

  • [HKEY_CURRENT_USER\­System\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot]
Executable file infection

Win32/Sality.NDR is a polymorphic file infector.


The virus searches local and network drives for files with one of the following extensions:

  • .exe
  • .scr

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The virus infects files referenced by the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

This causes the virus to be executed on every system start.

Spreading

The virus copies itself into the root folders of the following drives using a random filename.


The filename has one of the following extensions:

  • .exe
  • .pif

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the virus ensures it is started each time infected media is inserted into the computer.


The virus spreads by exploiting a vulnerability in the operating system of the targeted machine.


This vulnerability is described in CVE-2010-2568 .

Other information

The following files are deleted:

  • *.vdb
  • *.avc
  • *drw*.key

The following services are disabled:

  • AVP
  • Agnitum Client Security Service
  • Amon monitor
  • aswUpdSv
  • aswMon2
  • aswRdr
  • aswSP
  • aswTdi
  • aswFsBlk
  • acssrv
  • AV Engine
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avast! Asynchronous Virus Monitor
  • avast! Self Protection
  • AVG E-mail Scanner
  • Avira AntiVir Premium Guard
  • Avira AntiVir Premium WebGuard
  • Avira AntiVir Premium MailGuard
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • COMODO Firewall Pro Sandbox Driver
  • cmdGuard
  • cmdAgent
  • Eset Service
  • Eset HTTP Server
  • Eset Personal Firewall
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • Google Online Services
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KPF4
  • KLIF
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MpsSvc
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SharedAccess
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpIDer FS Monitor for Windows NT
  • SpIDer Guard File System Monitor
  • SPIDERNT
  • Symantec Core LC
  • Symantec Password Validation
  • Symantec AntiVirus Definition Watcher
  • SavRoam
  • Symantec AntiVirus
  • Tmntsrv
  • TmPfw
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • wscsvc
  • XCOMM

The virus terminates processes with any of the following strings in the name:

  • AVPM.
  • A2GUARD
  • A2CMD.
  • A2SERVICE.
  • A2FREE
  • AVAST
  • ADVCHK.
  • AHPROCMONSERVER.
  • AIRDEFENSE
  • ALERTSVC
  • AVIRA
  • AMON.
  • TROJAN
  • AVZ.
  • ANTIVIR
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWUPDSV.
  • ASWSCAN
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVESVC.
  • AVEVAL.
  • AVEVL32.
  • AVGAM
  • AVGCC.AVGCHSVX.
  • AVGCSRVX.
  • AVGNSX.
  • AVGCC32.
  • AVGCTRL.
  • AVGEMC
  • AVGFWSRV.
  • AVGNT.
  • AVCENTER
  • AVGNTMGR
  • AVGSERV.
  • AVGTRAY.
  • AVGUARD.
  • AVGUPSVC.
  • AVGWDSVC.
  • AVINITNT.
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVAST
  • AVSERVER.
  • AVSCHED32.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR
  • AVXQUAR.
  • BDSWITCH.
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • BITDEFENDER
  • CCEVTMGR.
  • CFPCONFIG.
  • CCSETMGR.
  • CFIAUDIT.
  • CLAMTRAY.
  • CLAMWIN.
  • CUREIT
  • DEFWATCH.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB
  • DEFENDERDAEMON
  • DWEBLLIO
  • DWEBIO
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FILEMON
  • FIREWALL
  • FORTICLIENT
  • FORTITRAY.
  • FORTISCAN
  • FPAVSERVER.
  • FPROTTRAY.
  • FPWIN.
  • FRESHCLAM.
  • EKRN.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • F-SCHED.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWARE
  • GUARDGUI.
  • GUARDNT.
  • GUARDXSERVICE.
  • GUARDXKICKOFF.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • IPTRAY.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • ISAFE.
  • ISATRAY.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • MAMUTU
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MSSECES.
  • MSSEOOBE.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTRTSCAN.
  • NTOS.
  • NTXCONFIG.
  • NUPGRADE.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • OUTPOST
  • ONLINENT.
  • OPSSVC.
  • OP_MON.
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PESTPATROL
  • PNMSRV.
  • PREVSRV.
  • PREVX
  • PSIMSVC.
  • QUHLPSVC.
  • QHONLINE.
  • QHONSVC.
  • QHWSCSVC.
  • QHSET.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • SALITY
  • SAPISSVC.
  • SCANWSCS.
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCANNINGPROCESS.
  • SDRA64.
  • SDHELP.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERCPL.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • TAUMON.
  • TMLISTEN.
  • TMNTSRV.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCRMON.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBSCANX.
  • WINSSNOTIFY.
  • WRCTRL.
  • XCOMMSVR.
  • ZLCLIENT
  • ZONEALARM

The virus contains a list of URLs.


It tries to download several files from the addresses.


The files are then executed.


The virus creates and runs a new thread with its own program code in all running processes.


The virus modifies the following file:

  • SYSTEM.INI

The virus writes the following entries to the file:

  • [MCIDRV_VER]
    • DEVICEMB=%number%

The %number% represents a random number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.