Win32/Sality [Threat Name] go to Threat

Win32/Sality.NAJ [Threat Variant Name]

Category virus
Size 20480 B
Aliases Virus.Win32.Sality.q (Kaspersky)
  W32/Sality.x (McAfee)
  W32.Sality.U (Symantec)
Short description

Win32/Sality.NAJ is a polymorphic file infector. It is able to spread via shared folders.

Installation

The following file is dropped into the %windir% folder:

  • vcmgcd32.dll

The library is loaded and injected in all processes.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "GlobalUserOffline" = 0

The virus modifies the following file:

  • %windir%\­system.ini
Executable file infection

The virus infects files referenced by the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

This causes the virus to be executed on every system start.


The virus searches for executables on local drives.


The virus also searches for executables in shared folders of remote machines.


Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

  • AHEAD
  • SYSTEM

Several other criteria are applied when choosing a file to infect.


Files are infected by adding a new section that contains the virus .


The size of the inserted code is 20480 B .

Other information

The virus deletes files with the following extensions:

  • .avc
  • .vdb

The virus deletes executable files, that contain one of the following strings in the name:

  • ALER
  • ANDA
  • ANTI
  • AVP
  • BIDEF
  • CLEAN
  • GUAR
  • KAV
  • NOD
  • OUTP
  • SCAN
  • TREN
  • TROJ
  • ZONE

The following programs are terminated:

  • ANTI
  • ATGUARD
  • AUTOTRACE
  • AVGSERV
  • AVLTMAIN
  • AVP
  • AVPROTECT
  • AVSYNMGR
  • AVXQUAR
  • BIDEF
  • BIDSERVER
  • BIPCP
  • BLACKICE
  • CLEANER
  • DRWATSON
  • DRWEB
  • DRWTSN32
  • ESCANH
  • ICSSUPPNT
  • ICSUPP
  • KAV
  • LOCKDOWN
  • MCAGENT
  • MCUPDATE
  • MGUI
  • NAV
  • NMAIN
  • NOD32
  • NPFMESSENGER
  • NPROTECT
  • NUPGRADE
  • OUTPOST
  • PERISCOPE
  • PINGSCAN
  • PORTDETECTIVE
  • PROTECTX
  • RTVSCAN
  • SAVSCAN
  • TRJSCAN
  • VSMAIN
  • ZONEALARM

The virus tries to download and execute several files from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.