Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum DAT
5426 (2008-11-06) Updated DAT5760 (2009-10-03) |
Minimum Engine
5400.1158 File Length77824 bytes |
Description Added
2008-11-05 Description Modified2008-11-10 |
Malware Proliferation
Characteristics
W32/Sality.aq is a parasitic virus that infects Win32 PE executable files.
Upon execution, it drops the following files:
- %System%\drivers\[RANDOM FILE NAME].sys
It creates the following mutex "Op1mutx9"
Creates the following registry keys:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aic32p
- HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
- HKEY_CURRENT_USER\Software\[USER NAME]914
Modifies the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting
GlobalUserOffline = 0 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA = 0 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusOverride = 1
AntiVirusDisableNotify = 1
FirewallDisableNotify = 1
FirewallOverride = 1
UpdatesDisableNotify = 1
UacDisableNotify = 1
AntiSpywareOverride = 1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
Deletes entries under the following registry subkeys to prevent rebooting into Safe Mode:
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Adds following entry to %Windir%\system.ini:
[MCIDRV_VER]
Downloads further malware from the following domains:
- [hxxp:]//89.119.67.154/[blocked]
- [hxxp:]//oceaninfo.co.kr/[blocked]
- [hxxp:]//kukutrustnet7[blocked]
- [hxxp:]//kukutrustnet8[blocked]
- [hxxp:]//kukutrustnet9[blocked]
- [hxxp:]//www.kjwre9fqwiel[blocked]
- [hxxp:]//kukutrustnet7[blocked]
- [hxxp:]//klkjwre77638dfqwieuoi888[blocked]
- [hxxp:]//kjwre77638dfqwieu[blocked]
- [hxxp:]//kjwre77638dfqwieu[blocked]
- [hxxp:]//pacwebco.com/images[blocked]
- [hxxp:]//pacwebco.com/images[blocked]
- [hxxp:]//89.149.227.194/trat[blocked]
- [hxxp:]//www.freewebtown.com/[blocked]
- [hxxp:]//tele-pc.com/
- [hxxp:]//macedonia.my1.ru/
- [hxxp:]//jrsx.jre.net.cn/
- [hxxp:]//montienhouse.com/
- [hxxp:]//tecredi.eresmas.com/
Attempt to delete files containing any of the following strings in their name
- Agnitum Client Security Service
- ALG
- Amon monitor
- aswUpdSv
- aswMon2
- aswRdr
- aswSP
- aswTdi
- aswFsBlk
- acssrv
- AV Engine
- avast! iAVS4 Control Service
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- avast! Asynchronous Virus Monitor
- avast! Self Protection
- AVG E-mail Scanner
- Avira AntiVir Premium Guard
- Avira AntiVir Premium WebGuard
- Avira AntiVir Premium MailGuard
- avp1
- BackWeb Plug-in - 4476822
- bdss
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- Eset Service
- Eset HTTP Server
- Eset Personal Firewall
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- FSMA
- Google Online Services
- LavasoftFirewall
- McAfeeFramework
- McShield
- McTaskManager
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SmcService
- SNDSrvc
- SPBBCSvc
- SpIDer FS Monitor for Windows NT
- SpIDer Guard File System Monitor
- SPIDERNT
- Symantec Core LC
- Symantec Password Validation
- Symantec AntiVirus Definition Watcher
- SavRoam
- Symantec AntiVirus
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
The kernel mode device driver attempts to block access to following domains and applications having the following strings.
- Cureit
- Drweb
- Onlinescan
- Spywareinfo
- Ewido
- Virusscan
- Windowsecurity
- Spywareguide
- Bitdefender
- Panda software
- Agnmitum
- Virustotal
- Sophos
- Trend Micro
- Etrust.com
- Symantec
- McAfee
- F-Secure
- Eset.com
- Kaspersky
Symptoms
Unexpected network traffic to one or more of the domains mentioned above.
Method of Infection
W32/Sality.aq searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image. The infected files grow by size by minimum 50Kb.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants