W32/Sality.ah

This page shows details and results of our analysis on the malware W32/Sality.ah

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

5339 (2008-07-15)

Updated DAT

5760 (2009-10-03)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2008-07-15

Description Modified

2008-07-21

Malware Proliferation

Characteristics

W32/Sality.ah is a parasitic virus that infects Win32 PE executable files.

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

  • %Windir%\System32\Drivers\{random}.sys

It follows to create the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
  • HKEY_CURRENT_USER\Software\{%UserName%}914

It may also modify system configuration via the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

(Where %UserName% is the Windows logged in user ID)

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:

  • WINDOWS
  • SYSTEM
  • SYSTEM32

It can also drop a copy of itself as asc3360pr.scr, asc3360pr.pif or asc3360pr.exe onto the following Windows drive types and creates an Autorun.inf to auto-execute itself:

  • Unknown drive type (Type 0)
  • Removable media (Type 2) - e.g. USB drives.
  • Remote network drive (Type 4) - e.g. shared folders.

It may download additional malware from the folllowing site(s):

  • hxxp://89.119.67.154
  • hxxp://kukutrustnet777.info
  • hxxp://kukutrustnet888.info
  • hxxp://kukutrustnet987.info
  • hxxp://www.kjwre9fqwieluoi.info
  • hxxp://bpowqbvcfds677.info
  • hxxp://bmakemegood24.com
  • hxxp://bperfectchoice1.com
  • hxxp://bcash-ddt.net
  • hxxp://bddr-cash.net
  • hxxp://btrn-cash.net
  • hxxp://bmoney-frn.net
  • hxxp://bclr-cash.net
  • hxxp://bxxxl-cash.net
  • hxxp://balsfhkewo7i487fksd.info
  • hxxp://buynvf96.info

Services containing the following strings may be removed:

  • Agnitum Client Security Service
  • ALG
  • aswUpdSv
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web ScannerAVP
  • BackWeb Plug-in - 4476822
  • bdss
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • Eset Service
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • fshttps
  • FSMA
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KPF4
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • Tmntsrv
  • TmPfw
  • tmproxy
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM

It may also search and delete files containing the following extension(s) or string(s) in the filename:

  • .vdb
  • .key
  • .avc

Symptoms

  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.
  • Services listening on the network port(s) mentioned.
  • Unexpected network traffic to one or more of the domain(s) mentioned.
  • Executable files increase in size by 70 kilobytes.

 

 

Method of Infection

W32/Sality.ah searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 70 KB.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants