Win32/Sality [Threat Name] go to Threat
Win32/Sality.NDR [Threat Variant Name]
| Category | virus |
| Aliases | Virus:Win32/Sality.AW (Microsoft) |
| W32.Sality.AF (Symantec) |
Short description
Win32/Sality.NDR is a polymorphic file infector.
Installation
When executed the virus drops in folder %system%\drivers\ the following file:
- %variable%.sys
A string with variable content is used instead of %variable% .
The virus registers itself as a system service using the following name:
- amsint32
The following files are dropped into the %temp% folder:
- %variable%.exe
%variable% represent random text.
The file is then executed.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%infectedfilepath%" = "%infectedfilepath%:*:Enabled:ipsec"
The performed data entry creates an exception in the Windows Firewall program.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "GlobalUserOffline" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system]
- "EnableLUA" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
- "EnableFirewall" = 0
- "DoNotAllowExceptions" = 0
- "DisableNotifications" = 1
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- "UacDisableNotify" = 1
- "AntiSpywareOverride" = 1
The following Registry entries are deleted:
- [HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot]
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
Executable file infection
Win32/Sality.NDR is a polymorphic file infector.
The virus searches local and network drives for files with one of the following extensions:
- .exe
- .scr
Executables are infected by appending the code of the virus to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The virus infects files referenced by the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
This causes the virus to be executed on every system start.
Spreading
The virus copies itself into the root folders of the following drives using a random filename.
The filename has one of the following extensions:
- .exe
- .pif
The following file is dropped in the same folder:
- autorun.inf
The AUTORUN.INF file contains the path to the malware executable.
Thus, the virus ensures it is started each time infected media is inserted into the computer.
The virus spreads by exploiting a vulnerability in the operating system of the targeted machine.
This vulnerability is described in CVE-2010-2568 .
Other information
The following files are deleted:
- *.vdb
- *.avc
- *drw*.key
The following services are disabled:
- AVP
- Agnitum Client Security Service
- Amon monitor
- aswUpdSv
- aswMon2
- aswRdr
- aswSP
- aswTdi
- aswFsBlk
- acssrv
- AV Engine
- avast! iAVS4 Control Service
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- avast! Asynchronous Virus Monitor
- avast! Self Protection
- AVG E-mail Scanner
- Avira AntiVir Premium Guard
- Avira AntiVir Premium WebGuard
- Avira AntiVir Premium MailGuard
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- COMODO Firewall Pro Sandbox Driver
- cmdGuard
- cmdAgent
- Eset Service
- Eset HTTP Server
- Eset Personal Firewall
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- FSMA
- Google Online Services
- InoRPC
- InoRT
- InoTask
- ISSVC
- KPF4
- KLIF
- LavasoftFirewall
- LIVESRV
- McAfeeFramework
- McShield
- McTaskManager
- MpsSvc
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SharedAccess
- SmcService
- SNDSrvc
- SPBBCSvc
- SpIDer FS Monitor for Windows NT
- SpIDer Guard File System Monitor
- SPIDERNT
- Symantec Core LC
- Symantec Password Validation
- Symantec AntiVirus Definition Watcher
- SavRoam
- Symantec AntiVirus
- Tmntsrv
- TmPfw
- UmxAgent
- UmxCfg
- UmxLU
- UmxPol
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
- WebrootFirewall
- wscsvc
- XCOMM
The virus terminates processes with any of the following strings in the name:
- AVPM.
- A2GUARD
- A2CMD.
- A2SERVICE.
- A2FREE
- AVAST
- ADVCHK.
- AHPROCMONSERVER.
- AIRDEFENSE
- ALERTSVC
- AVIRA
- AMON.
- TROJAN
- AVZ.
- ANTIVIR
- APVXDWIN.
- ARMOR2NET.
- ASHAVAST.
- ASHDISP.
- ASHENHCD.
- ASHMAISV.
- ASHPOPWZ.
- ASHSERV.
- ASHSIMPL.
- ASHSKPCK.
- ASHWEBSV.
- ASWUPDSV.
- ASWSCAN
- AVCIMAN.
- AVCONSOL.
- AVENGINE.
- AVESVC.
- AVEVAL.
- AVEVL32.
- AVGAM
- AVGCC.AVGCHSVX.
- AVGCSRVX.
- AVGNSX.
- AVGCC32.
- AVGCTRL.
- AVGEMC
- AVGFWSRV.
- AVGNT.
- AVCENTER
- AVGNTMGR
- AVGSERV.
- AVGTRAY.
- AVGUARD.
- AVGUPSVC.
- AVGWDSVC.
- AVINITNT.
- AVKSERV.
- AVKSERVICE.
- AVKWCTL.
- AVP.
- AVP32.
- AVPCC.
- AVAST
- AVSERVER.
- AVSCHED32.
- AVSYNMGR.
- AVWUPD32.
- AVWUPSRV.
- AVXMONITOR
- AVXQUAR.
- BDSWITCH.
- BLACKD.
- BLACKICE.
- CAFIX.
- BITDEFENDER
- CCEVTMGR.
- CFPCONFIG.
- CCSETMGR.
- CFIAUDIT.
- CLAMTRAY.
- CLAMWIN.
- CUREIT
- DEFWATCH.
- DRVIRUS.
- DRWADINS.
- DRWEB
- DEFENDERDAEMON
- DWEBLLIO
- DWEBIO
- ESCANH95.
- ESCANHNT.
- EWIDOCTRL.
- EZANTIVIRUSREGISTRATIONCHECK.
- F-AGNT95.
- FAMEH32.
- FILEMON
- FIREWALL
- FORTICLIENT
- FORTITRAY.
- FORTISCAN
- FPAVSERVER.
- FPROTTRAY.
- FPWIN.
- FRESHCLAM.
- EKRN.
- FSAV32.
- FSAVGUI.
- FSBWSYS.
- F-SCHED.
- FSDFWD.
- FSGK32.
- FSGK32ST.
- FSGUIEXE.
- FSMA32.
- FSMB32.
- FSPEX.
- FSSM32.
- F-STOPW.
- GCASDTSERV.
- GCASSERV.
- GIANTANTISPYWARE
- GUARDGUI.
- GUARDNT.
- GUARDXSERVICE.
- GUARDXKICKOFF.
- HREGMON.
- HRRES.
- HSOCKPE.
- HUPDATE.
- IAMAPP.
- IAMSERV.
- ICLOAD95.
- ICLOADNT.
- ICMON.
- ICSSUPPNT.
- ICSUPP95.
- ICSUPPNT.
- IPTRAY.
- INETUPD.
- INOCIT.
- INORPC.
- INORT.
- INOTASK.
- INOUPTNG.
- IOMON98.
- ISAFE.
- ISATRAY.
- KAV.
- KAVMM.
- KAVPF.
- KAVPFW.
- KAVSTART.
- KAVSVC.
- KAVSVCUI.
- KMAILMON.
- MAMUTU
- MCAGENT.
- MCMNHDLR.
- MCREGWIZ.
- MCUPDATE.
- MCVSSHLD.
- MINILOG.
- MSSECES.
- MSSEOOBE.
- MYAGTSVC.
- MYAGTTRY.
- NAVAPSVC.
- NAVAPW32.
- NAVLU32.
- NAVW32.
- NEOWATCHLOG.
- NEOWATCHTRAY.
- NISSERV
- NISUM.
- NMAIN.
- NOD32
- NORMIST.
- NOTSTART.
- NPAVTRAY.
- NPFMNTOR.
- NPFMSG.
- NPROTECT.
- NSCHED32.
- NSMDTR.
- NSSSERV.
- NSSTRAY.
- NTRTSCAN.
- NTOS.
- NTXCONFIG.
- NUPGRADE.
- NVCOD.
- NVCTE.
- NVCUT.
- NWSERVICE.
- OFCPFWSVC.
- OUTPOST
- ONLINENT.
- OPSSVC.
- OP_MON.
- PAVFIRES.
- PAVFNSVR.
- PAVKRE.
- PAVPROT.
- PAVPROXY.
- PAVPRSRV.
- PAVSRV51.
- PAVSS.
- PCCGUIDE.
- PCCIOMON.
- PCCNTMON.
- PCCPFW.
- PCCTLCOM.
- PCTAV.
- PERSFW.
- PERTSK.
- PERVAC.
- PESTPATROL
- PNMSRV.
- PREVSRV.
- PREVX
- PSIMSVC.
- QUHLPSVC.
- QHONLINE.
- QHONSVC.
- QHWSCSVC.
- QHSET.
- RFWMAIN.
- RTVSCAN.
- RTVSCN95.
- SALITY
- SAPISSVC.
- SCANWSCS.
- SAVADMINSERVICE.
- SAVMAIN.
- SAVPROGRESS.
- SAVSCAN.
- SCANNINGPROCESS.
- SDRA64.
- SDHELP.
- SHSTAT.
- SITECLI.
- SPBBCSVC.
- SPHINX.
- SPIDERCPL.
- SPIDERML.
- SPIDERNT.
- SPIDERUI.
- SPYBOTSD.
- SPYXX.
- SS3EDIT.
- STOPSIGNAV.
- SWAGENT.
- SWDOCTOR.
- SWNETSUP.
- SYMLCSVC.
- SYMPROXYSVC.
- SYMSPORT.
- TAUMON.
- TMLISTEN.
- TMNTSRV.
- TMPROXY.
- TNBUTIL.
- TRJSCAN.
- VBA32ECM.
- VBA32IFS.
- VBA32LDR.
- VBA32PP3.
- VBSNTW.
- VCRMON.
- VRFWSVC.
- VRMONNT.
- VRMONSVC.
- VRRW32.
- VSECOMR.
- VSHWIN32.
- VSMON.
- VSSERV.
- VSSTAT.
- WATCHDOG.
- WEBSCANX.
- WINSSNOTIFY.
- WRCTRL.
- XCOMMSVR.
- ZLCLIENT
- ZONEALARM
The virus contains a list of URLs.
It tries to download several files from the addresses.
The files are then executed.
The virus creates and runs a new thread with its own program code in all running processes.
The virus modifies the following file:
- SYSTEM.INI
The virus writes the following entries to the file:
- [MCIDRV_VER]
- DEVICEMB=%number%
The %number% represents a random number.