1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: HTTP W32.Sality Activity

System Infected: HTTP W32.Sality Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature is to detect HTTP traffic generated by W32.Sality to connect to and/or download files from malicious hosts.

Additional Information

When the virus is executed, it drops the following files:

%System%\wmdrtc32.dll (A copy of W32.HLLP.Sality.)
%System%\wmdrtc32.dl_ (An archived copy of W32.HLLP.Sality.)
The virus then appends the following lines to the file %Windir%\System.ini:
[MCIDRV_VER]
DEVICEN1=[RANDOM_NUMBER]

The threat then injects this .dll file into all running processes.

The virus resides in memory and infects all portable executable files it finds.

Next, the threat attempts to connect to the malicious Web sites.

The virus ends and deletes services and processes which have certain names.

The virus then deletes all values and subkeys under the following subkey, which prevents the compromised computer from booting into Safe Mode:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP

Response

http://www.symantec.com/security_response/writeup.jsp?docid=2007-011223-3919-99&tabid=2

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube