Win32/Sality [Threat Name] go to Threat
Win32/Sality.NAU [Threat Variant Name]
| Category | virus |
| Aliases | Virus.Win32.Sality.aa (Kaspersky) |
| W32.Sality.AE (Symantec) | |
| Virus:Win32/Sality.AM (Microsoft) |
Short description
Win32/Sality.NAU is a polymorphic file infector.
Installation
When executed the virus drops in folder %system%\drivers the following file:
- %variable%.sys (5669 B)
%variable% represents a random text.
Installs the following system drivers (path, name):
- %system%\drivers\%variable%.sys, abp470n5
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- %filename%" = "%filename%:*:Enabled:ipsec"
The performed data entry creates an exception in the Windows Firewall program.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]
- "DisableTaskMgr" = 1
- "DisableRegistryTools" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- "UacDisableNotify" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- "UacDisableNotify" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "GlobalUserOffline" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
- "EnableLUA"=0
- [HKEY_CURRENT_USER\Software\%username%914]
The following Registry entries are removed:
- [HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
The virus creates and runs a new thread with its own program code in all running processes.
Executable file infection
Win32/Sality.NAU is a polymorphic file infector.
The virus searches local and network drives for files with one of the following extensions:
- .exe
- .scr
Files are infected by adding a new section that contains the virus .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The virus infects files referenced by the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
If a folder name matches one of the following strings, files inside it are not infected:
- SYSTEM
- WINDOWS
- SYSTEM32
Spreading on removable media
The virus copies itself into the root folders of removable drives using the following name:
- %variable%
A string with variable content is used instead of %variable% .
The filename has one of the following extensions:
- .exe
- .pif
- .cmd
The following file is dropped in the same folder:
- autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The virus executes the following command:
- netsh firewall set opmode disable
The following files are deleted:
- *.VBD
- *.AVC
The virus terminates processes with any of the following strings in the name:
- _AVPM.
- A2GUARD.
- AAVSHIELD.
- ADVCHK.
- AHNSD.
- AIRDEFENSE
- ALERTSVC
- ALOGSERV
- ALSVC.
- AMON.
- ANTI-TROJAN.
- ANTIVIR
- APVXDWIN.
- ARMOR2NET.
- ASHAVAST.
- ASHDISP.
- ASHENHCD.
- ASHMAISV.
- ASHPOPWZ.
- ASHSERV.
- ASHSIMPL.
- ASHSKPCK.
- ASHWEBSV.
- ASWUPDSV.
- ATCON.
- ATUPDATER.
- ATWATCH.
- AVAST
- AVAST
- AVAST
- AVCENTER.
- AVCIMAN.
- AVCONSOL.
- AVENGINE.
- AVESVC.
- AVGAMSVR.
- AVGCC.
- AVGCC32.
- AVGCTRL.
- AVGEMC.
- AVGFWSRV.
- AVGNT
- AVGNT.
- AVGNTDD
- AVGNTMGR
- AVGSERV.
- AVGUARD.
- AVGUPSVC.
- AVINITNT.
- AVKSERV.
- AVKSERVICE.
- AVKWCTL.
- AVP.
- AVP32.
- AVPCC.
- AVPM.
- AVSERVER.
- AVSCHED32.
- AVSYNMGR.
- AVWUPD32.
- AVWUPSRV.
- AVXMONITOR9X.
- AVXMONITORNT.
- AVXQUAR.
- AVZ.
- BDMCON.
- BDNEWS.
- BDSUBMIT.
- BDSWITCH.
- BLACKD.
- BLACKICE.
- CAFIX.
- CCAPP.
- CCEVTMGR.
- CCPROXY.
- CCSETMGR.
- CFIAUDIT.
- CLAMTRAY.
- CLAMWIN.
- CLAW95.
- CUREIT
- CUREIT
- DEFWATCH.
- DRVIRUS.
- DRWADINS.
- DRWEB32W.
- DRWEBSCD.
- DRWEBUPW.
- DWEBIO
- DWEBLLIO
- EKRN.
- ESCANH95.
- ESCANHNT.
- EWIDOCTRL.
- EZANTIVIRUSREGISTRATIONCHECK.
- F-AGNT95.
- FAMEH32.
- FILEMON
- FIRESVC.
- FIRETRAY.
- FIREWALL.
- FPAVUPDM.
- F-PROT95.
- FRESHCLAM.
- FSAV32.
- FSAVGUI.
- FSBWSYS.
- FSDFWD.
- FSGK32.
- FSGK32ST.
- FSGUIEXE.
- F-SCHED.
- FSMA32.
- FSMB32.
- FSPEX.
- FSSM32.
- F-STOPW.
- GCASDTSERV.
- GCASSERV.
- GIANTANTISPYWAREMAIN.
- GIANTANTISPYWAREUPDATER.
- GUARDGUI.
- GUARDNT.
- HREGMON.
- HRRES.
- HSOCKPE.
- HUPDATE.
- IAMAPP.
- IAMSERV.
- ICLOAD95.
- ICLOADNT.
- ICMON.
- ICSSUPPNT.
- ICSUPP95.
- ICSUPPNT.
- IFACE.
- INETUPD.
- INOCIT.
- INORPC.
- INORT.
- INOTASK.
- INOUPTNG.
- IOMON98.
- ISAFE.
- ISATRAY.
- ISRV95.
- ISSVC.
- KAV.
- KAVMM.
- KAVPF.
- KAVPFW.
- KAVSTART.
- KAVSVC.
- KAVSVCUI.
- KMAILMON.
- KPFWSVC.
- MCAGENT.
- MCMNHDLR.
- MCREGWIZ.
- MCUPDATE.
- MCVSSHLD.
- MINILOG.
- MYAGTSVC.
- MYAGTTRY.
- NAVAPSVC.
- NAVAPW32.
- NAVLU32.
- NAVW32.
- NEOWATCHLOG.
- NEOWATCHTRAY.
- NISSERV
- NISUM.
- NMAIN.
- NOD32
- NOD32
- NORMIST.
- NOTSTART.
- NPAVTRAY.
- NPFMNTOR.
- NPFMSG.
- NPROTECT.
- NSCHED32.
- NSMDTR.
- NSSSERV.
- NSSTRAY.
- NTOS.
- NTRTSCAN.
- NTXCONFIG.
- NUPGRADE.
- NVCOD.
- NVCTE.
- NVCUT.
- NWSERVICE.
- OFCPFWSVC.
- OP_MON.
- OUTPOST
- PAVFIRES.
- PAVFNSVR.
- PAVKRE.
- PAVPROT.
- PAVPROXY.
- PAVPRSRV.
- PAVSRV51.
- PAVSS.
- PCCGUIDE.
- PCCIOMON.
- PCCNTMON.
- PCCPFW.
- PCCTLCOM.
- PCTAV.
- PERSFW.
- PERTSK.
- PERVAC.
- PNMSRV.
- POP3TRAP.
- POPROXY.
- PREVSRV.
- PSIMSVC.
- QHM32.
- QHONLINE.
- QHONSVC.
- QHPF.
- QHWSCSVC.
- RAVMON.
- RAVTIMER.
- RFWMAIN.
- RTVSCAN.
- RTVSCN95.
- RULAUNCH.
- SAVADMINSERVICE.
- SAVMAIN.
- SAVPROGRESS.
- SAVSCAN.
- SCANNINGPROCESS.
- SDHELP.
- SHSTAT.
- SITECLI.
- SPBBCSVC.
- SPHINX.
- SPIDERCPL.
- SPIDERML.
- SPIDERNT.
- SPIDERUI.
- SPYBOTSD.
- SPYXX.
- SS3EDIT.
- STOPSIGNAV.
- SWAGENT.
- SWDOCTOR.
- SWNETSUP.
- SYMLCSVC.
- SYMPROXYSVC.
- SYMSPORT.
- SYMWSC.
- SYNMGR.
- TAUMON.
- TBMON.
- TFAK.
- THAV.
- THSM.
- TMAS.
- TMLISTEN.
- TMNTSRV.
- TMPFW.
- TMPROXY.
- TNBUTIL.
- TRJSCAN.
- UP2DATE.
- VBA32ECM.
- VBA32IFS.
- VBA32LDR.
- VBA32PP3.
- VBSNTW.
- VCRMON.
- VETTRAY.
- VCHK.
- VIRUSKEEPER.
- VPTRAY.
- VRFWSVC.
- VRMONNT.
- VRMONSVC.
- VRRW32.
- VSECOMR.
- VSHWIN32.
- VSMON.
- VSSERV.
- VSSTAT.
- WATCHDOG.
- WEBPROXY.
- WEBSCANX.
- WEBTRAP.
- WGFE95.
- WINAW32.
- WINROUTE.
- WINSS.
- WINSSNOTIFY.
- WRCTRL.
- XCOMMSVR.
- ZAUINST
- ZLCLIENT
- ZONEALARM
The following services are disabled:
- acssrv
- Agnitum Client Security Service
- ALG
- Amon monitor
- aswFsBlk
- aswMon2
- aswRdr
- aswSP
- aswTdi
- aswUpdSv
- AV Engine
- avast! Antivirus
- avast! Asynchronous Virus Monitor
- avast! iAVS4 Control Service
- avast! Mail Scanner
- avast! Self Protection
- avast! Web Scanner
- AVG E-mail Scanner
- Avira AntiVir Premium Guard
- Avira AntiVir Premium MailGuard
- Avira AntiVir Premium WebGuard
- AVP
- avp1
- BackWeb Plug-in - 4476822
- bdss
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- Eset HTTP Server
- Eset Personal Firewall
- Eset Service
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- FSMA
- Google Online Services
- InoRPC
- InoRT
- InoTask
- ISSVC
- KLIF
- KPF4
- LavasoftFirewall
- LIVESRV
- McAfeeFramework
- McShield
- McTaskManager
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SavRoam
- SmcService
- SNDSrvc
- SPBBCSvc
- SpIDer FS Monitor for Windows NT
- SpIDer Guard File System Monitor
- SPIDERNT
- Symantec AntiVirus
- Symantec AntiVirus Definition Watcher
- Symantec Core LC
- Symantec Password Validation
- tcpsr
- Tmntsrv
- TmPfw
- tmproxy
- UmxAgent
- UmxCfg
- UmxLU
- UmxPol
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
- WebrootFirewall
- XCOMM
The virus blocks access to any domains that contain any of the following strings in their name:
- agnmitum.
- bitdefender.
- cureit
- drweb.
- eset.com
- etrust.com
- ewido.
- f-secure.
- kaspersky
- mcafee.
- onlinescan.
- pandasoftware.
- sality-remov
- sophos.
- spywareguide.
- spywareinfo.
- symantec.
- trendmicro.
- upload_virus
- virusinfo.
- virusscan.
- virustotal.
- windowsecurity.
The virus modifies the following file:
- SYSTEM.INI
The virus writes the following entries to the file:
- [MCIDRV_VER]
- DEVICEMB=%number%
The %number% represents a random number.
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of (4) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files