Win32/Sality [Threat Name] go to Threat

Win32/Sality.NBA [Threat Variant Name]

Category virus
Detection created Mar 17, 2010
Detection database version 10187
Aliases Virus.Win32.Sality.gen (Kaspersky)
  Virus:Win32/Sality.AT (Microsoft)
  W32/Sality.gen.z (McAfee)
Short description

Win32/Sality.NBA is a polymorphic file infector.

Installation

When executed the virus drops in folder %system%\drivers\ the following file:

  • %variable%.sys

A string with variable content is used instead of %variable% .


The following files are dropped into the %temp% folder:

  • %variable%.exe

%variable% represent random text. The file is then executed.


The virus registers itself as a system service using the following name:

  • IpFilterDriver
  • amsint32

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%infectedfilepath%" = "%infectedfilepath%:*:Enabled:ipsec"

The performed data entry creates an exception in the Windows Firewall program.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­system]
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
    • "DoNotAllowExceptions" = 0
    • "DisableNotifications" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ALG]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
    • "UacDisableNotify" = 1
    • "AntiSpywareOverride" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center\­Svc]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
    • "UacDisableNotify" = 1
    • "AntiSpywareOverride" = 1

The following Registry entries are deleted:

  • [HKEY_USERS\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Stats]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Stats]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Stats]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects]
  • [HKEY_CURRENT_USER\­System\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot]
Executable file infection

Win32/Sality.NBA is a polymorphic file infector.


The virus searches local and network drives for files with one of the following extensions:

  • .exe
  • .scr

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The virus infects files referenced by the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

This causes the virus to be executed on every system start.

Spreading on removable media

The virus copies itself into the root folders of removable drives using a random filename.


The filename has one of the following extensions:

  • .exe
  • .pif
  • .cmd

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The following files are deleted:

  • *.vdb
  • *.avc
  • *drw*.key

The following services are disabled:

  • AVP
  • Agnitum Client Security Service
  • ALG
  • Amon monitor
  • aswUpdSv
  • aswMon2
  • aswRdr
  • aswSP
  • aswTdi
  • aswFsBlk
  • acssrv
  • AV Engine
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avast! Asynchronous Virus Monitor
  • avast! Self Protection
  • AVG E-mail Scanner
  • Avira AntiVir Premium Guard
  • Avira AntiVir Premium WebGuard
  • Avira AntiVir Premium MailGuard
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • COMODO Firewall Pro Sandbox Driver
  • cmdGuard
  • cmdAgent
  • Eset Service
  • Eset HTTP Server
  • Eset Personal Firewall
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • Google Online Services
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KPF4
  • KLIF
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MpsSvc
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SharedAccess
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpIDer FS Monitor for Windows NT
  • SpIDer Guard File System Monitor
  • SPIDERNT
  • Symantec Core LC
  • Symantec Password Validation
  • Symantec AntiVirus Definition Watcher
  • SavRoam
  • Symantec AntiVirus
  • Tmntsrv
  • TmPfw
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM

The virus terminates processes with any of the following strings in the name:

  • AVPM.
  • A2GUARD
  • A2CMD.
  • A2SERVICE.
  • A2FREE
  • AVAST
  • ADVCHK.
  • AGB.
  • AKRNL.
  • AHPROCMONSERVER.
  • AIRDEFENSE
  • ALERTSVC
  • AVIRA
  • AMON.
  • TROJAN.
  • AVZ.
  • ANTIVIR
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWUPDSV.
  • ASWSCAN
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVESVC.
  • AVEVAL.
  • AVEVL32.
  • AVGAM
  • AVGCC.
  • AVGCHSVX.
  • AVGCSRVX.
  • AVGNSX.
  • AVGCC32.
  • AVGCTRL.
  • AVGEMC.
  • AVGFWSRV.
  • AVGNT.
  • AVCENTER
  • AVGNTMGR
  • AVGSERV.
  • AVGTRAY.
  • AVGUARD.
  • AVGUPSVC.
  • AVGWDSVC.
  • AVINITNT.
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVAST
  • AVSERVER.
  • AVSCHED32.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR
  • AVXQUAR.
  • BDSWITCH.
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • BITDEFENDER
  • CCEVTMGR.
  • CFP.
  • CFPCONFIG.
  • CCSETMGR.
  • CFIAUDIT.
  • CLAMTRAY.
  • CLAMWIN.
  • CUREIT
  • DEFWATCH.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB
  • DEFENDERDAEMON
  • DWEBLLIO
  • DWEBIO
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FILEMON
  • FIREWALL
  • FORTICLIENT
  • FORTITRAY.
  • FORTISCAN
  • FPAVSERVER.
  • FPROTTRAY.
  • FPWIN.
  • FRESHCLAM.
  • EKRN.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • F-SCHED.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWARE
  • GUARDGUI.
  • GUARDNT.
  • GUARDXSERVICE.
  • GUARDXKICKOFF.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • IPTRAY.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • ISAFE.
  • ISATRAY.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • MAMUTU
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTRTSCAN.
  • NTOS.
  • NTXCONFIG.
  • NUPGRADE.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • OUTPOST
  • ONLINENT.
  • OPSSVC.
  • OP_MON.
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PESTPATROL
  • PNMSRV.
  • PREVSRV.
  • PREVX
  • PSIMSVC.
  • QUHLPSVC.
  • QHONLINE.
  • QHONSVC.
  • QHWSCSVC.
  • QHSET.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • SALITY
  • SAPISSVC.
  • SCANWSCS.
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCANNINGPROCESS.
  • SDRA64.
  • SDHELP.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERCPL.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • SYMWSC.
  • SYNMGR.
  • TAUMON.
  • TBMON.
  • TMLISTEN.
  • TMNTSRV.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCRMON.
  • VPTRAY.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBSCANX.
  • WINSSNOTIFY.
  • WRCTRL.
  • XCOMMSVR.
  • ZLCLIENT
  • ZONEALARM

The virus contains a list of URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­win%variable%.exe
  • %temp%\­%variable%.exe

A string with variable content is used instead of %variable% .


The files are then executed.


The virus creates and runs a new thread with its own program code in all running processes.


The virus modifies the following file:

  • SYSTEM.INI

The virus writes the following entries to the file:

  • [MCIDRV_VER]
    • DEVICEMB=%number%

The %number% represents a random number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.