Win32/Sality [Threat Name] go to Threat
Win32/Sality.NBA [Threat Variant Name]
| Category | virus |
| Aliases | Virus.Win32.Sality.gen (Kaspersky) |
| Virus:Win32/Sality.AT (Microsoft) | |
| W32/Sality.gen.z (McAfee) |
Short description
Win32/Sality.NBA is a polymorphic file infector.
Installation
When executed the virus drops in folder %system%\drivers\ the following file:
- %variable%.sys
A string with variable content is used instead of %variable% .
The following files are dropped into the %temp% folder:
- %variable%.exe
%variable% represent random text. The file is then executed.
The virus registers itself as a system service using the following name:
- IpFilterDriver
- amsint32
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%infectedfilepath%" = "%infectedfilepath%:*:Enabled:ipsec"
The performed data entry creates an exception in the Windows Firewall program.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "GlobalUserOffline" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system]
- "EnableLUA" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
- "EnableFirewall" = 0
- "DoNotAllowExceptions" = 0
- "DisableNotifications" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- "UacDisableNotify" = 1
- "AntiSpywareOverride" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- "UacDisableNotify" = 1
- "AntiSpywareOverride" = 1
The following Registry entries are deleted:
- [HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
- [HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot]
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
Executable file infection
Win32/Sality.NBA is a polymorphic file infector.
The virus searches local and network drives for files with one of the following extensions:
- .exe
- .scr
Executables are infected by appending the code of the virus to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The virus infects files referenced by the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
This causes the virus to be executed on every system start.
Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename.
The filename has one of the following extensions:
- .exe
- .pif
- .cmd
The following file is dropped in the same folder:
- autorun.inf
The AUTORUN.INF file contains the path to the malware executable.
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The following files are deleted:
- *.vdb
- *.avc
- *drw*.key
The following services are disabled:
- AVP
- Agnitum Client Security Service
- ALG
- Amon monitor
- aswUpdSv
- aswMon2
- aswRdr
- aswSP
- aswTdi
- aswFsBlk
- acssrv
- AV Engine
- avast! iAVS4 Control Service
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- avast! Asynchronous Virus Monitor
- avast! Self Protection
- AVG E-mail Scanner
- Avira AntiVir Premium Guard
- Avira AntiVir Premium WebGuard
- Avira AntiVir Premium MailGuard
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- COMODO Firewall Pro Sandbox Driver
- cmdGuard
- cmdAgent
- Eset Service
- Eset HTTP Server
- Eset Personal Firewall
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- FSMA
- Google Online Services
- InoRPC
- InoRT
- InoTask
- ISSVC
- KPF4
- KLIF
- LavasoftFirewall
- LIVESRV
- McAfeeFramework
- McShield
- McTaskManager
- MpsSvc
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SharedAccess
- SmcService
- SNDSrvc
- SPBBCSvc
- SpIDer FS Monitor for Windows NT
- SpIDer Guard File System Monitor
- SPIDERNT
- Symantec Core LC
- Symantec Password Validation
- Symantec AntiVirus Definition Watcher
- SavRoam
- Symantec AntiVirus
- Tmntsrv
- TmPfw
- UmxAgent
- UmxCfg
- UmxLU
- UmxPol
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
- WebrootFirewall
- XCOMM
The virus terminates processes with any of the following strings in the name:
- AVPM.
- A2GUARD
- A2CMD.
- A2SERVICE.
- A2FREE
- AVAST
- ADVCHK.
- AGB.
- AKRNL.
- AHPROCMONSERVER.
- AIRDEFENSE
- ALERTSVC
- AVIRA
- AMON.
- TROJAN.
- AVZ.
- ANTIVIR
- APVXDWIN.
- ARMOR2NET.
- ASHAVAST.
- ASHDISP.
- ASHENHCD.
- ASHMAISV.
- ASHPOPWZ.
- ASHSERV.
- ASHSIMPL.
- ASHSKPCK.
- ASHWEBSV.
- ASWUPDSV.
- ASWSCAN
- AVCIMAN.
- AVCONSOL.
- AVENGINE.
- AVESVC.
- AVEVAL.
- AVEVL32.
- AVGAM
- AVGCC.
- AVGCHSVX.
- AVGCSRVX.
- AVGNSX.
- AVGCC32.
- AVGCTRL.
- AVGEMC.
- AVGFWSRV.
- AVGNT.
- AVCENTER
- AVGNTMGR
- AVGSERV.
- AVGTRAY.
- AVGUARD.
- AVGUPSVC.
- AVGWDSVC.
- AVINITNT.
- AVKSERV.
- AVKSERVICE.
- AVKWCTL.
- AVP.
- AVP32.
- AVPCC.
- AVAST
- AVSERVER.
- AVSCHED32.
- AVSYNMGR.
- AVWUPD32.
- AVWUPSRV.
- AVXMONITOR
- AVXQUAR.
- BDSWITCH.
- BLACKD.
- BLACKICE.
- CAFIX.
- BITDEFENDER
- CCEVTMGR.
- CFP.
- CFPCONFIG.
- CCSETMGR.
- CFIAUDIT.
- CLAMTRAY.
- CLAMWIN.
- CUREIT
- DEFWATCH.
- DRVIRUS.
- DRWADINS.
- DRWEB
- DEFENDERDAEMON
- DWEBLLIO
- DWEBIO
- ESCANH95.
- ESCANHNT.
- EWIDOCTRL.
- EZANTIVIRUSREGISTRATIONCHECK.
- F-AGNT95.
- FAMEH32.
- FILEMON
- FIREWALL
- FORTICLIENT
- FORTITRAY.
- FORTISCAN
- FPAVSERVER.
- FPROTTRAY.
- FPWIN.
- FRESHCLAM.
- EKRN.
- FSAV32.
- FSAVGUI.
- FSBWSYS.
- F-SCHED.
- FSDFWD.
- FSGK32.
- FSGK32ST.
- FSGUIEXE.
- FSMA32.
- FSMB32.
- FSPEX.
- FSSM32.
- F-STOPW.
- GCASDTSERV.
- GCASSERV.
- GIANTANTISPYWARE
- GUARDGUI.
- GUARDNT.
- GUARDXSERVICE.
- GUARDXKICKOFF.
- HREGMON.
- HRRES.
- HSOCKPE.
- HUPDATE.
- IAMAPP.
- IAMSERV.
- ICLOAD95.
- ICLOADNT.
- ICMON.
- ICSSUPPNT.
- ICSUPP95.
- ICSUPPNT.
- IPTRAY.
- INETUPD.
- INOCIT.
- INORPC.
- INORT.
- INOTASK.
- INOUPTNG.
- IOMON98.
- ISAFE.
- ISATRAY.
- KAV.
- KAVMM.
- KAVPF.
- KAVPFW.
- KAVSTART.
- KAVSVC.
- KAVSVCUI.
- KMAILMON.
- MAMUTU
- MCAGENT.
- MCMNHDLR.
- MCREGWIZ.
- MCUPDATE.
- MCVSSHLD.
- MINILOG.
- MYAGTSVC.
- MYAGTTRY.
- NAVAPSVC.
- NAVAPW32.
- NAVLU32.
- NAVW32.
- NEOWATCHLOG.
- NEOWATCHTRAY.
- NISSERV
- NISUM.
- NMAIN.
- NOD32
- NORMIST.
- NOTSTART.
- NPAVTRAY.
- NPFMNTOR.
- NPFMSG.
- NPROTECT.
- NSCHED32.
- NSMDTR.
- NSSSERV.
- NSSTRAY.
- NTRTSCAN.
- NTOS.
- NTXCONFIG.
- NUPGRADE.
- NVCOD.
- NVCTE.
- NVCUT.
- NWSERVICE.
- OFCPFWSVC.
- OUTPOST
- ONLINENT.
- OPSSVC.
- OP_MON.
- PAVFIRES.
- PAVFNSVR.
- PAVKRE.
- PAVPROT.
- PAVPROXY.
- PAVPRSRV.
- PAVSRV51.
- PAVSS.
- PCCGUIDE.
- PCCIOMON.
- PCCNTMON.
- PCCPFW.
- PCCTLCOM.
- PCTAV.
- PERSFW.
- PERTSK.
- PERVAC.
- PESTPATROL
- PNMSRV.
- PREVSRV.
- PREVX
- PSIMSVC.
- QUHLPSVC.
- QHONLINE.
- QHONSVC.
- QHWSCSVC.
- QHSET.
- RFWMAIN.
- RTVSCAN.
- RTVSCN95.
- SALITY
- SAPISSVC.
- SCANWSCS.
- SAVADMINSERVICE.
- SAVMAIN.
- SAVPROGRESS.
- SAVSCAN.
- SCANNINGPROCESS.
- SDRA64.
- SDHELP.
- SHSTAT.
- SITECLI.
- SPBBCSVC.
- SPHINX.
- SPIDERCPL.
- SPIDERML.
- SPIDERNT.
- SPIDERUI.
- SPYBOTSD.
- SPYXX.
- SS3EDIT.
- STOPSIGNAV.
- SWAGENT.
- SWDOCTOR.
- SWNETSUP.
- SYMLCSVC.
- SYMPROXYSVC.
- SYMSPORT.
- SYMWSC.
- SYNMGR.
- TAUMON.
- TBMON.
- TMLISTEN.
- TMNTSRV.
- TMPROXY.
- TNBUTIL.
- TRJSCAN.
- VBA32ECM.
- VBA32IFS.
- VBA32LDR.
- VBA32PP3.
- VBSNTW.
- VCRMON.
- VPTRAY.
- VRFWSVC.
- VRMONNT.
- VRMONSVC.
- VRRW32.
- VSECOMR.
- VSHWIN32.
- VSMON.
- VSSERV.
- VSSTAT.
- WATCHDOG.
- WEBSCANX.
- WINSSNOTIFY.
- WRCTRL.
- XCOMMSVR.
- ZLCLIENT
- ZONEALARM
The virus contains a list of URLs.
It tries to download several files from the addresses.
These are stored in the following locations:
- %temp%\win%variable%.exe
- %temp%\%variable%.exe
A string with variable content is used instead of %variable% .
The files are then executed.
The virus creates and runs a new thread with its own program code in all running processes.
The virus modifies the following file:
- SYSTEM.INI
The virus writes the following entries to the file:
- [MCIDRV_VER]
- DEVICEMB=%number%
The %number% represents a random number.