Win32/Sality [Threat Name] go to Threat
Win32/Sality.NAR [Threat Variant Name]
| Category | virus |
| Aliases | Virus.Win32.Sality.aa (Kaspersky) |
| Virus:Win32/Sality.AM (Microsoft) | |
| W32/Sality.ah (McAfee) |
Short description
Win32/Sality.NAR is a polymorphic file infector.
Installation
When executed the virus drops in folder %system%\drivers\ the following file:
- %variable%.sys (5509 B)
%variable% represents a random text.
The following files are dropped into the %temp% folder:
- %variableA%.exe (7680 B)
- %variableB%.exe (8192 B)
%variableA%, %variableB% represent random text. The files are then executed.
The virus registers itself as a system service using the following name:
- IPFILTERDRIVER
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\%username%914]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%filename%" = "%filename%:*:Enabled:ipsec"
The performed command creates an exception in the Windows Firewall.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "GlobalUserOffline" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system]
- "EnableLUA" = 0
The following Registry entries are deleted:
- [HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
- [HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot]
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
Executable file infection
Win32/Sality.NAR is a polymorphic file infector.
The virus searches local and network drives for files with one of the following extensions:
- .exe
Files are infected by adding a new section that contains the virus . The host file is modified in a way that causes the virus to be executed prior to running the original code. The virus infects files referenced by the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
This causes the virus to be executed on every system start.
Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename.
The filename has one of the following extensions:
- .exe
- .pif
- .cmd
The following file is dropped in the same folder:
- autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The following files are deleted:
- *.vdb
- *.avc
- *drw*.key
The following services are disabled:
- Agnitum Client Security Service
- ALG
- aswUpdSv
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- BackWeb Plug-in - 4476822
- bdss
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- Eset Service
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- fshttps
- FSMA
- InoRPC
- InoRT
- InoTask
- ISSVC
- KPF4
- LavasoftFirewall
- LIVESRV
- McAfeeFramework
- McShield
- McTaskManager
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SmcService
- SNDSrvc
- SPBBCSvc
- Symantec Core LC
- Tmntsrv
- TmPfw
- tmproxy
- UmxAgent
- UmxCfg
- UmxLU
- UmxPol
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
- WebrootFirewall
- XCOMM
- AVP
The virus terminates processes with any of the following strings in the name:
- _AVPM.
- A2GUARD.
- AAVSHIELD.
- AVAST
- ADVCHK.
- AHNSD.
- AIRDEFENSE
- ALERTSVC
- ALMON.
- ALOGSERV
- ALSVC.
- AMON.
- ANTI-TROJAN.
- AVZ.
- ANTIVIR
- ANTS.
- APVXDWIN.
- ARMOR2NET.
- ASHAVAST.
- ASHDISP.
- ASHENHCD.
- ASHMAISV.
- ASHPOPWZ.
- ASHSERV.
- ASHSIMPL.
- ASHSKPCK.
- ASHWEBSV.
- ASWUPDSV.
- ATCON.
- ATUPDATER.
- ATWATCH.
- AUPDATE.
- AUTODOWN.
- AUTOTRACE.
- AUTOUPDATE.
- AVCIMAN.
- AVCONSOL.
- AVENGINE.
- AVGAMSVR.
- AVGCC.
- AVGCC32.
- AVGCTRL.
- AVGEMC.
- AVGFWSRV.
- AVGNT.
- AVGNTDD
- AVGNTMGR
- AVGSERV.
- AVGUARD.
- AVGUPSVC.
- AVINITNT.
- AVKSERV.
- AVKSERVICE.
- AVKWCTL.
- AVP.
- AVP32.
- AVPCC.
- AVPM.
- AVAST
- AVSCHED32.
- AVSYNMGR.
- AVWUPD32.
- AVWUPSRV.
- AVXMONITOR9X.
- AVXMONITORNT.
- AVXQUAR.
- BACKWEB-4476822.
- BDMCON.
- BDNEWS.
- BDOESRV.
- BDSS.
- BDSUBMIT.
- BDSWITCH.
- BLACKD.
- BLACKICE.
- CAFIX.
- CCAPP.
- CCEVTMGR.
- CCPROXY.
- CCSETMGR.
- CFIAUDIT.
- CLAMTRAY.
- CLAMWIN.
- CLAW95.
- CLAW95CF.
- CLEANER.
- CLEANER3.
- CLISVC.
- CMGRDIAN.
- CUREIT
- DEFWATCH.
- DOORS.
- DRVIRUS.
- DRWADINS.
- DRWEB32W.
- DRWEBSCD.
- DRWEBUPW.
- ESCANH95.
- ESCANHNT.
- EWIDOCTRL.
- EZANTIVIRUSREGISTRATIONCHECK.
- F-AGNT95.
- FAMEH32.
- FAST.
- FCH32.
- FILEMON
- FIRESVC.
- FIRETRAY.
- FIREWALL.
- FPAVUPDM.
- F-PROT95.
- FRESHCLAM.
- EKRN.
- FSAV32.
- FSAVGUI.
- FSBWSYS.
- F-SCHED.
- FSDFWD.
- FSGK32.
- FSGK32ST.
- FSGUIEXE.
- EGUI.
- FSMA32.
- FSMB32.
- FSPEX.
- FSSM32.
- F-STOPW.
- GCASDTSERV.
- GCASSERV.
- GIANTANTISPYWAREMAIN.
- GIANTANTISPYWAREUPDATER.
- GUARDGUI.
- GUARDNT.
- HREGMON.
- HRRES.
- HSOCKPE.
- HUPDATE.
- IAMAPP.
- IAMSERV.
- ICLOAD95.
- ICLOADNT.
- ICMON.
- ICSSUPPNT.
- ICSUPP95.
- ICSUPPNT.
- IFACE.
- INETUPD.
- INOCIT.
- INORPC.
- INORT.
- INOTASK.
- INOUPTNG.
- IOMON98.
- ISAFE.
- ISATRAY.
- ISRV95.
- ISSVC.
- KAV.
- KAVMM.
- KAVPF.
- KAVPFW.
- KAVSTART.
- KAVSVC.
- KAVSVCUI.
- KMAILMON.
- KPFWSVC.
- KWATCH.
- LOCKDOWN2000.
- LOGWATNT.
- LUALL.
- LUCOMSERVER.
- LUUPDATE.
- MCAGENT.
- MCMNHDLR.
- MCREGWIZ.
- MCUPDATE.
- MCVSSHLD.
- MINILOG.
- MYAGTSVC.
- MYAGTTRY.
- NAVAPSVC.
- NAVAPW32.
- NAVLU32.
- NAVW32.
- NOD32.
- NEOWATCHLOG.
- NEOWATCHTRAY.
- NISSERV
- NISUM.
- NMAIN.
- NOD32
- NORMIST.
- NOTSTART.
- NPAVTRAY.
- NPFMNTOR.
- NPFMSG.
- NPROTECT.
- NSCHED32.
- NSMDTR.
- NSSSERV.
- NSSTRAY.
- NTRTSCAN.
- NTXCONFIG.
- NUPGRADE.
- NVC95.
- NVCOD.
- NVCTE.
- NVCUT.
- NWSERVICE.
- OFCPFWSVC.
- OUTPOST.
- PAV.
- PAVFIRES.
- PAVFNSVR.
- PAVKRE.
- PAVPROT.
- PAVPROXY.
- PAVPRSRV.
- PAVSRV51.
- PAVSS.
- PCCGUIDE.
- PCCIOMON.
- PCCNTMON.
- PCCPFW.
- PCCTLCOM.
- PCTAV.
- PERSFW.
- PERTSK.
- PERVAC.
- PNMSRV.
- POP3TRAP.
- POPROXY.
- PREVSRV.
- PSIMSVC.
- QHM32.
- QHONLINE.
- QHONSVC.
- QHPF.
- QHWSCSVC.
- RAVMON.
- RAVTIMER.
- REALMON.
- REALMON95.
- RFWMAIN.
- RTVSCAN.
- RTVSCN95.
- RULAUNCH.
- SAVADMINSERVICE.
- SAVMAIN.
- SAVPROGRESS.
- SAVSCAN.
- SCAN32.
- SCANNINGPROCESS.
- CUREIT.
- SDHELP.
- SHSTAT.
- SITECLI.
- SPBBCSVC.
- SPHINX.
- SPIDERML.
- SPIDERNT.
- SPIDERUI.
- SPYBOTSD.
- SPYXX.
- SS3EDIT.
- STOPSIGNAV.
- SWAGENT.
- SWDOCTOR.
- SWNETSUP.
- SYMLCSVC.
- SYMPROXYSVC.
- SYMSPORT.
- SYMWSC.
- SYNMGR.
- TAUMON.
- TBMON.
- AVAST
- TDS-3.
- TEATIMER.
- TFAK.
- THAV.
- THSM.
- TMAS.
- TMLISTEN.
- TMNTSRV.
- TMPFW.
- TMPROXY.
- TNBUTIL.
- TRJSCAN.
- UP2DATE.
- VBA32ECM.
- VBA32IFS.
- VBA32LDR.
- VBA32PP3.
- VBSNTW.
- VCHK.
- VCRMON.
- VETTRAY.
- VIRUSKEEPER.
- VPTRAY.
- VRFWSVC.
- VRMONNT.
- VRMONSVC.
- VRRW32.
- VSECOMR.
- VSHWIN32.
- VSMON.
- VSSERV.
- VSSTAT.
- WATCHDOG.
- WEBPROXY.
- WEBSCANX.
- WEBTRAP.
- WGFE95.
- WINAW32.
- WINROUTE.
- WINSS.
- WINSSNOTIFY.
- WRADMIN.
- WRCTRL.
- XCOMMSVR.
- ZATUTOR.
- ZAUINST.
- ZLCLIENT.
- ZONEALARM.
The virus contains a list of URLs.
It tries to download several files from the addresses.
These are stored in the following locations:
- %temp%\win%variable%.exe
- %temp%\%variable%.exe
%variable% represents a random text.
The files are then executed.
The virus creates and runs a new thread with its own program code within the following processes:
- %system%\notepad.exe
- %system%\winmine.exe
The virus modifies the following file:
- SYSTEM.INI
The virus writes the following entries to the file:
- [MCIDRV_VER]
- DEVICEMB=%number%
The %number% represents a random number.