1. /
  2. Security Response/
  3. W32.Sality

W32.Sality

Risk Level 2: Low

Discovered:
June 4, 2003
Updated:
April 30, 2013 11:11:54 AM
Also Known As:
W32/Kookoo-A [Sophos]
Type:
Virus
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software.

Infection
W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file.

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts.


Functionality
The W32.Sality family of threats has been around for some time as the first versions surfaced in 2003 and may have originated in Russia. At that time, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality.

Over the years the core functionalities remained the same but it has become more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.



As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.

It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.

The threat participates in a P2P botnet and receives URLs of additional files to download. Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.

The threat also attempts to disable security software and modify security configurations. It alters the safe mode functionality to ensure it remains on the compromised computer. To help hide its presence and ensure continuity of execution, it will inject itself into all running processes except processes that belong to the system, the local service or the network service.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.







PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)



Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version April 6, 2003
  • Latest Rapid Release version November 21, 2013 revision 055
  • Initial Daily Certified version April 6, 2003
  • Latest Daily Certified version November 22, 2013 revision 001
  • Initial Weekly Certified release date April 9, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: 50 - 999
  • Number of Sites: 10+
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Downloads files and URLs.
  • Modifies Files: Infects files on local drives and removable media.
  • Degrades Performance: Participation in a peer-to-peer (P2P) botnet may degrade performance.
  • Compromises Security Settings: Lowers security settings and may disable security-related processes and applications.

Distribution

  • Distribution Level: Medium
  • Target of Infection: Executable files on local, removable and remote shared drives.
Writeup By: Angela Thigpen and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver