Win32/Sality [Threat Name] go to Threat

Win32/Sality.T [Threat Variant Name]

Category virus
Aliases Virus.Win32.Sality.t (Kaspersky)
  W32.Sality.Y!inf (Symantec)
  W32/Sality.p.virus (McAfee)
Short description

Win32/Sality.T is a polymorphic file infector.

Installation

When executed, the virus drops one of the following files in the %system% folder:

  • oledsp32.dl_ (18902 B)
  • oledsp32.dll (26624 B)
Executable file infection

Win32/Sality.T is a polymorphic file infector.


The virus searches for executables with one of the following extensions:

  • .exe
  • .scr

Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

  • AHEAD

Files are infected by adding a new section that contains the virus .


The size of the inserted code is 20 KB .


The host file is modified in a way that causes the virus to be executed prior to running the original code. The virus infects files referenced by the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

This causes the virus to be executed on every system start.

Information stealing

Win32/Sality.T is a virus that steals sensitive information.


The following information is collected:

  • user name
  • computer name
  • malware version
  • computer IP address
  • operating system version
  • list of disk devices and their type
  • RAS accounts
  • a list of recently visited URLs

The data is saved in the following file:

  • %system%\­TFTempCache

The virus sends the information via e-mail. The virus uses the following SMTP server:

  • msx.mail.ru

The sender address is one of the following:

  • CyberMazafaka@mailru.com

The recipient address is one of the following:

  • sector2007@list.ru
  • bespontovij@list.ru

The name of the attached file is following:

  • readme.tjc
  • TFTempCache.tjc
Other information

If the current system date and time matches certain conditions, the virus displays the following message:

WIN32.HLLP.KUKU v3.0b <<<<< Hey, Lamer! Say "Bye-bye" to your data! >>>>> Copyright (c) by Sector

The following files are deleted:

  • *.vdb
  • *.avc
  • *drw*.key

The virus modifies the following file:

  • %windir%\­system.ini

The virus writes the following entries to the file:

  • [TFTempCache]
    • RtlMoveMemory=%number%
    • MPR=%number%

The variable %number% represents a variable 1 digit number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.