Virus/ Worm Characteristics
After execution, W32/Sality starts a service to listen on a random UDP port and creates a copy of itself in the following path:- %Windir%\System32\Drivers\{ RANDOM }.sys
- W32/Sality infect *.exe and *scr files on the local, network, and removable drives, with the exception of files containing the following string(s) in the filename:
- WINDOWS
- SYSTEM
- SYSTEM32
- 1. yimg.com
- Us.i1.yimg.com
- http:.//ad.yieldmanager.com
- mattfoll.eu.interia.pl
- bjerm.mass.hc.ru
- W32/Sality also drop an Autorun.inf file to auto-execute itself
- W32/Sality attempts to hook to one of the random processes and connects to certain sites to download malware
- W32/Sality uses Notepad.exe and Winmine.exe to inject itself into other Windows executables
- Process Explorer may, for example, show Notepad.exe as a running process when you have not opened it. If you kill this process, W32/Sality will hook on to another process.
When a W32/Sality infection occurs, it disables Regedit and the Windows Task Manager, and also creates the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*
Other names
- Avast : Win32:Kukacka
- AVG (GriSoft): Win32/Tanatos.J
- Avira : W32/Sality Windows
- Kaspersky: Virus.Win32.Sality.GeN
- BitDefender: Win32.Sality.2.OE
- Clamav: W32.Sality-27
- F-Prot: W32/Sality.AJ
- Microsoft: virus:win32/sality.am
- Symantec : W32.Sality.AE
- Eset: Win32/Sality.NAO virus
- Sophos: W32/Sality-AM
- Trend Micro: PE_SALITY.EK
No comments:
Post a Comment