W32/Sality.ai

This page shows details and results of our analysis on the malware W32/Sality.ai

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

5354 (2008-08-05)

Updated DAT

5760 (2009-10-03)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2008-08-05

Description Modified

2008-08-06

Malware Proliferation

Characteristics

W32/Sality.ai is a parasitic virus that infects Win32 PE executable files.

Upon execution, this file infector listens on an UDP port and drops the following file:

%System%\drivers\{Random file name}.sys (Terminates security applications)
(Note: %System% is the Windows system folder, e.g. C:\Windows\System32 or C:\WINNT\System32)


It then creates/modifies the following registry keys/entries:

  • HKEY_CURRENT_USER\Software\{User Name}914
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
    ImagePath = "%System%\drivers\{Random file name}.sys"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableRegistryTools: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced


To make recovery difficult for the victim, it deletes the following registry keys/entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    AlternateShell = "cmd.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network


This file infector adds the following entries in the SYSTEM.INI file:

  • [MCIDRV_VER]
    DEVICEMB={Random numbers}

 

It scans the following registry key to check for the existence of registry subkeys related to antivirus and security applications:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

If found, it deletes the said subkeys. Affected registry subkeys which may be deleted to disable security applications are as follows:

  • _AVPM
  • A2GUARD
  • AAVSHIELD
  • AVAST
  • ADVCHK
    ...
  • WRCTRL
  • XCOMMSVR
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM


It infects files (*.exe and *.scr files on the local, network and removable drives except for the file names containing the strings of WINDOWS, SYSTEM or SYSTEM32) by overwriting some code in the entry point and save the overwritten code in the virus body. It then appends the virus body to the host file.


This file infector terminates the following services, if found on the system:

  • aswUpdSv
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
    ...
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM


It may download additional malware from the folllowing site(s):

  • http://89.119.67.{removed}/testo5
  • http://kukutrustnet777.{removed}
  • http://kukutrustnet888.{removed}
  • http://kukutrustnet987.{removed}
  • http://www.klkjwre9fqwieluoi.{removed}

Symptoms

Presence of the file(s) mentioned.
Presence of the registry key(s) mentioned.
Services listening on the network port(s) mentioned.
Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

W32/Sality.ai searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants