W32/Sality.ab

This page shows details and results of our analysis on the malware W32/Sality.ab

Overview

Win32/Sality.ab is a parasitic virus that infects Win32 PE executable files. It utilizes DLL injection and contains downloader functionality to further install trojan or keylogger components.


Minimum DAT

4991 (2007-03-23)

Updated DAT

4992 (2007-03-26)

Minimum Engine

5400.1158

File Length

varies

Description Added

2007-03-23

Description Modified

2007-03-28

Malware Proliferation

Characteristics

Win32/Sality.ab is a parasitic virus that infects Win32 PE executable files. It utilizes DLL injection and contains downloader functionality to further install trojan or keylogger components.

Upon execution, it drops the following files into the Windows system directory:

%Windir%\%SYSDIR%\wcdrtc32.dl_  (17,876 bytes)
%Windir%\%SYSDIR%\wcdrtc32.dll   (25,600 bytes)

Creates the following mutexes to ensure that only one instance of the virus is active on a computer at any time.

  • _kuku_joker_v3.10
  • pendosi-zaberu-vse-vashi-babki-v3.01

Injects its component "wcdrtc32.dll" into running processes on the system.

Checks for the presence of an internet connection by performing a DNS query to the following domain.

  • www.microsoft.com

Downloads further malware from the following domains:

  • www.bpfq02.com
  • www.shared-admin.com

Note: At the time of writing this description variants of the PWS-Goldun trojan were being downloaded.

Symptoms

Existing Windows PE executable files grow in length of 20,480 bytes.

Unexpected network traffic to one or more of the following domains:

  • www.f5ds1jkkk4d.info
  • www.g1ikdcvns3sdsal.info
  • www.h7smcnrwlsdn34fgv.info
  • www.inform1ongung.info
  • www.kukutrustnet.org
  • www.lukki6nd2kdnc.info

Method of Infection

W32/Sality.ab is a parasitic virus that searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the host executable with its viral code and appends an encrypted copy of the itself by creating a new section named 'srdata'. Infected files grow by size by 20,480 bytes.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants