W32.Sality

Overview
W32.Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk.

Aliases
Microsoft - Virus: Win32/sality.am
Kaspersky - Virus.Win32.Sality.aa

Symptoms
W32.Sality has the following symptoms:

• Modifies System.ini files (Check for the modified date)
• Services listening on the network port(s).
• Unexpected network trafic to one or more of the domain(s).
• No access to File Monitor.
• Disables Safe mode boot
• Disables regedit and taskmanager
• Disables Antivirus

Characteristics
Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

%Windir%\System32\Drivers\{random}.sys
It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:
• WINDOWS
• SYSTEM
• SYSTEM32
Downloads further malware from the following domains:

1. yimg.com
Us.i1.yimg.com
http:.//ad.yieldmanager.com
mattfoll.eu.interia.pl
bjerm.mass.hc.ru
It can also drop an Autorun.inf file to auto-execute itself

connect/imagebrowser/view/image/794881/_original

Once the sample is run, it immediately tries to hook to one of the random processes and connects to certain sites and downloads malware.

connect/imagebrowser/view/image/794891/_original

The screen shot above shows the virus connecting to the IP 89.111.173.114 on port 80 and establishing contact with a certain “http://bjerm.mass.hc.ru” to download the file “logoh.gif”

Below is a screen shot of sality hooking on to a certain “Notepad.exe”

connect/imagebrowser/view/image/794921/_original

One may notice that Notepad.exe is in the running processes even when it has never been opened by the user.( Check the system tray )
If we kill this process, Sality hooks on to another process.

Common Registry changes done by Sality

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools

This is to disable regedit and taskmanager.

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

Common URL’s accessed by Sality

The following domains need to be blocked at the firewall.

• hxxp://89.119.67.154
• hxxp://kukutrustnet777.info
• hxxp://kukutrustnet888.info
• hxxp://kukutrustnet987.info
• hxxp://www.kjwre9fqwieluoi.info
• hxxp://bpowqbvcfds677.info
• hxxp://bmakemegood24.com
• hxxp://bperfectchoice1.com
• hxxp://bcash-ddt.net
• hxxp://bddr-cash.net
• hxxp://btrn-cash.net
• hxxp://bmoney-frn.net
• hxxp://bclr-cash.net
• hxxp://bxxxl-cash.net
• hxxp://balsfhkewo7i487fksd.info
• hxxp://buynvf96.info
• 1.yimg.com
• Us.i1.yimg.com
• http:.//ad.yieldmanager.com
• mattfoll.eu.interia.pl
• bjerm.mass.hc.ru
• www.f5ds1jkkk4d.info
• www.g1ikdcvns3sdsal.info
• www.h7smcnrwlsdn34fgv.info
• www.inform1ongung.info
• www.kukutrustnet.org
• www.lukki6nd2kdnc.info

Rgrds,
SAM