W32/Sality.aq

This page shows details and results of our analysis on the malware W32/Sality.aq

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

5426 (2008-11-06)

Updated DAT

5760 (2009-10-03)

Minimum Engine

5400.1158

File Length

77824 bytes

Description Added

2008-11-05

Description Modified

2008-11-10

Malware Proliferation

Characteristics

W32/Sality.aq is a parasitic virus that infects Win32 PE executable files.

Upon execution, it drops the following files:

  • %System%\drivers\[RANDOM FILE NAME].sys

It creates the following mutex "Op1mutx9"

Creates the following registry keys:

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aic32p
    • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
    • HKEY_CURRENT_USER\Software\[USER NAME]914

Modifies the following registry entries:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting
      GlobalUserOffline = 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
      EnableLUA = 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
      AntiVirusOverride = 1
      AntiVirusDisableNotify = 1
      FirewallDisableNotify = 1
      FirewallOverride = 1
      UpdatesDisableNotify = 1
      UacDisableNotify = 1
      AntiSpywareOverride = 1
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
      DisableRegistryTools

Deletes entries under the following registry subkeys to prevent rebooting into Safe Mode:

    • HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

Adds following entry to %Windir%\system.ini:
[MCIDRV_VER]

Downloads further malware from the following domains:

    • [hxxp:]//89.119.67.154/[blocked]     
    • [hxxp:]//oceaninfo.co.kr/[blocked]   
    • [hxxp:]//kukutrustnet7[blocked]      
    • [hxxp:]//kukutrustnet8[blocked]      
    • [hxxp:]//kukutrustnet9[blocked]      
    • [hxxp:]//www.kjwre9fqwiel[blocked]   
    • [hxxp:]//kukutrustnet7[blocked]
    • [hxxp:]//klkjwre77638dfqwieuoi888[blocked]
    • [hxxp:]//kjwre77638dfqwieu[blocked]  
    • [hxxp:]//kjwre77638dfqwieu[blocked]  
    • [hxxp:]//pacwebco.com/images[blocked]
    • [hxxp:]//pacwebco.com/images[blocked]
    • [hxxp:]//89.149.227.194/trat[blocked]
    • [hxxp:]//www.freewebtown.com/[blocked]
    • [hxxp:]//tele-pc.com/
    • [hxxp:]//macedonia.my1.ru/
    • [hxxp:]//jrsx.jre.net.cn/
    • [hxxp:]//montienhouse.com/
    • [hxxp:]//tecredi.eresmas.com/

Attempt to delete files containing any of the following strings in their name

    • Agnitum Client Security Service
    • ALG
    • Amon monitor
    • aswUpdSv
    • aswMon2
    • aswRdr
    • aswSP
    • aswTdi
    • aswFsBlk
    • acssrv
    • AV Engine
    • avast! iAVS4 Control Service
    • avast! Antivirus
    • avast! Mail Scanner
    • avast! Web Scanner
    • avast! Asynchronous Virus Monitor
    • avast! Self Protection
    • AVG E-mail Scanner
    • Avira AntiVir Premium Guard
    • Avira AntiVir Premium WebGuard
    • Avira AntiVir Premium MailGuard
    • avp1
    • BackWeb Plug-in - 4476822
    • bdss
    • BGLiveSvc
    • BlackICE
    • CAISafe
    • ccEvtMgr
    • ccProxy
    • ccSetMgr
    • Eset Service
    • Eset HTTP Server
    • Eset Personal Firewall
    • F-Prot Antivirus Update Monitor
    • fsbwsys
    • FSDFWD
    • F-Secure Gatekeeper Handler Starter
    • FSMA
    • Google Online Services
    • LavasoftFirewall
    • McAfeeFramework
    • McShield
    • McTaskManager
    • navapsvc
    • NOD32krn
    • NPFMntor
    • NSCService
    • Outpost Firewall main module
    • OutpostFirewall
    • PAVFIRES
    • PAVFNSVR
    • PavProt
    • PavPrSrv
    • PAVSRV
    • PcCtlCom
    • PersonalFirewal
    • PREVSRV
    • ProtoPort Firewall service
    • PSIMSVC
    • RapApp
    • SmcService
    • SNDSrvc
    • SPBBCSvc
    • SpIDer FS Monitor for Windows NT
    • SpIDer Guard File System Monitor
    • SPIDERNT
    • Symantec Core LC
    • Symantec Password Validation
    • Symantec AntiVirus Definition Watcher
    • SavRoam
    • Symantec AntiVirus
    • vsmon
    • VSSERV
    • WebrootDesktopFirewallDataService

 

The kernel mode device driver attempts to block access to following  domains and applications having the following strings.

    • Cureit
    • Drweb
    • Onlinescan
    • Spywareinfo
    • Ewido
    • Virusscan
    • Windowsecurity
    • Spywareguide
    • Bitdefender
    • Panda software
    • Agnmitum
    • Virustotal
    • Sophos
    • Trend Micro
    • Etrust.com
    • Symantec
    • McAfee
    • F-Secure
    • Eset.com
    • Kaspersky

Symptoms

Existing Windows PE executable files grow in length of 77824 bytes.
Unexpected network traffic to one or more of the domains mentioned above.

Method of Infection

W32/Sality.aq searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by minimum 50Kb.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants