W32.HLLP.Sality

W32.HLLP.Sality is a virus with keylogging and back door capabilities. It may infect executable files by prepending its code to host files.

When W32.HLLP.Sality is executed, it may drop a .dll file in the %System% or %Temp% folders. The following are some examples of the filenames:
SYSLIB32.DLL
OLEDSP32.DLL
SYSDLL.DLL
OLEMDB32.DLL

Next, the virus creates the following mutex:
KUKU300a

The virus then checks the current time and may activate its payload if minutes are equal to hours and if the date is first of May or the 10th to 12th of any month.

The virus may then activate the payload, and display message box with the following characteristics:

Title: Win32.HLLP.Kuku v[VERSION_NUMBER]
Text:
<<<<<Hey, Lamer! Say "Bye-bye" to your data! >>>>>
'Copyright (c) by Sector'

The virus may add its configuration data to the file WINDOWS%\SYSTEM.INI by appending some of the following lines to this file:
[TFTempCache]
id=[RANDOM_NUMBER]
RtlMoveMeory=[RANDOM_NUMBER]
PING=[NUMBER]
TIME=[TIME]

Next, the virus may test connectivity by attempting to contact the following host:
www.microsoft.com

The virus has keylogging capabilities, which allow it to gather the following information from the compromised computer:
IP address, host name, and user names
Sensitive computer information, such as size of memory, local disks, the Windows version, and product key
RAS dialup accounts
Net Share passwords
Startup programs
WebMoney files

The virus temporarily stores any information it gathers in the following encrypted file:
%System%\TFTempCache

The virus may then send this information to several email addresses located in Russia using the following SMTP server over TCP port 25:
msx.mail.ru

This email has the following characteristics:

From: CyberMazafaka@mailru.com
To: sector2007@list.ru, bespontovik@list.ru
Subject: Administrator
Attachment:
readme.tjc
TFTempCache.tjc

The virus contains references to the following IRC server, but code to utilize this server is not implemented at the time of writing:
rinet.msk.wenet.ru

If a back door is opened, it can allow a remote attacker to perform various unauthorized actions on the compromised computer. It is reported that these actions may include the following:
Start a proxy server
Download, install, and run new programs
End the processes of, and delete, anti-virus related applications

The virus may infect executable files by prepending its code to the host file. However, not all the variants of this virus are able to spread in this way.

When searching for files to infect, the virus may delete the files which have the following extensions:
.vdb
.avc
.key

The virus may also delete those file names which begin with the following strings:
KAV
NOD
ANTI
SCAN
ZONE
ANDA
TROJ
TREN
ALER
CLEAN
OUTP
GUAR
AVP
TOTAL

The virus may leave behind a temporary file with the following name:
OLEDSP32.DL_

Summary