W32.Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk.
Microsoft - Virus: Win32/sality.am
Kaspersky - Virus.Win32.Sality.aa
W32.Sality has the following symptoms:
• Modifies System.ini files (Check for the modified date)
• Services listening on the network port(s).
• Unexpected network trafic to one or more of the domain(s).
• No access to File Monitor.
• Disables Safe mode boot
• Disables regedit and taskmanager
• Disables Antivirus
Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):
It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:
Downloads further malware from the following domains:
It can also drop an Autorun.inf file to auto-execute itself
Once the sample is run, it immediately tries to hook to one of the random processes and connects to certain sites and downloads malware.
The screen shot above shows the virus connecting to the IP 126.96.36.199 on port 80 and establishing contact with a certain “http://bjerm.mass.hc.ru” to download the file “logoh.gif”
Below is a screen shot of sality hooking on to a certain “Notepad.exe”
One may notice that Notepad.exe is in the running processes even when it has never been opened by the user.( Check the system tray )
If we kill this process, Sality hooks on to another process.
Common Registry changes done by Sality
This is to disable regedit and taskmanager.
In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:
Common URL’s accessed by Sality
The following domains need to be blocked at the firewall.