W32/Sality.ac

This page shows details and results of our analysis on the malware W32/Sality.ac

Overview

Win32/Sality.ac is a parasitic virus that infects Win32 PE executable files. It utilizes DLL injection and contains downloader functionality to further install trojan or keylogger components.


Minimum DAT

5072 (2007-07-11)

Updated DAT

5072 (2007-07-11)

Minimum Engine

5400.1158

File Length

28Kb

Description Added

2007-07-11

Description Modified

2008-09-01

Malware Proliferation

Characteristics

Win32/Sality.ac is a parasitic virus that infects Win32 PE executable files. It utilizes DLL injection and contains downloader functionality to further install trojan or keylogger components.

Upon execution, it drops the following files into the Windows system directory:

%Windir%\%SYSDIR%\wcdrtc32.dl_  (28,672 bytes)
%Windir%\%SYSDIR%\wcdrtc32.dll  (40,960 bytes)

Creates the following mutexes to ensure that only one instance of the virus is active on a computer at any time.
    * _kuku_joker_v4.00

Checks for the presence of an internet connection by performing a DNS query to the following domain.
    * www.microsoft.com

Symptoms

Existing Windows PE executable files grow in length of 28Kb.

Unexpected network traffic to one or more of the following domains:
www.kukutrustnet.org

Method of Infection

W32/Sality.ac is a parasitic virus that searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the host executable with its viral code and appends an encrypted copy of the itself by creating a new section named 'prdata'. Infected files grow by size by 28Kb.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants