W32/Sality.ao

This page shows details and results of our analysis on the malware W32/Sality.ao

Overview

W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.


Minimum DAT

5389 (2008-09-22)

Updated DAT

5760 (2009-10-03)

Minimum Engine

5400.1158

File Length

varies

Description Added

2008-09-22

Description Modified

2008-09-26

Malware Proliferation

Characteristics

W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.

Upon infection creates the following mutexes to ensure that only one instance of the virus is active on a computer at any time.

  • Op1mutx9

Disables Regedit and Task Manager by modifying the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableRegistryTools"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableTaskMgr"

Disable XP Security Center by modifying the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UacDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "AntiVirusDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "AntiVirusOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "FirewallDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "FirewallOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "UacDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "UpdatesDisableNotify"

Downloads further malware from the following domains:

  • hxxp://mattfoll.eu.interia.pl/[Removed]
  • hxxp://st1.dist.su.lt/l[Removed]
  • hxxp://lpbmx.ru/[Removed]
  • hxxp://bjerm.mass.hc.ru/[Removed]
  • hxxp://SOSiTE_AVERI_SOSiTEEE.[Removed]

Adds the following entries in the SYSTEM.INI file:

[MCIDRV_VER]
DEVICEMB={Random numbers}

Symptoms

  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.
  • Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

W32/Sality.ao searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants