W32/Sality.gen.b

This page shows details and results of our analysis on the malware W32/Sality.gen.b

Overview

This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases


Microsoft    -    virus:win32/sality.am
Symantec    -    W32.Sality.AE
Nod32        -    Win32/Sality.NAO
Norman    -    Sality.BBYL


Minimum DAT

5511 (2009-01-30)

Updated DAT

6136 (2010-10-14)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2009-01-30

Description Modified

2013-06-06

Malware Proliferation

Characteristics

W32/Sality.gen.b is detection for the virus that infects Win32 PE executable files. The virus first injects its code into explorer.exe and when user tries opens a folder it infected the files under that folder and creates a file in the folder name which has the folder icon.

W32/Sality.gen.b disables the Safe boot Mode and other security related software’s. It may also spread via removable drives. 

W32/Sality.gen.b infects the PE files and creates a new data section in those infected file.

The below is the new data section created by the virus
 
Upon execution the virus gets injects the code into system running processes and then it tries to connect below URL.

  • hxxp://108.[Removed].9.189/?404bc7=25282218
  • hxxp://108. [Removed].9.189/?405116=42150620
  • hxxp://109. [Removed].196.143/?405404=16863248
  • hxxp://85. [Removed].176.33/img/logoh.gif?40aed6=33912496
  • hxxp://85. [Removed].176.33/img/logos.gif?40b04d=12718311
  • hxxp://85. [Removed].176.33/img/logod.gif?40d7ab=42495150
  • kuku[Removed]tnet777.info
  • kjwre7763[Removed]wieuoi.info
  • li143-143.m[Removed]ers.linode.com
  • p[Removed]rk.ru
  • loft2015. [Removed]verloft.com
  • hosted-by.lea[Removed]b.com
  • sosite_averi_so[Removed]ee.haha
The following are the registry key values have been added to the system
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0x00000000
The above registry key value confirms that the virus tries to disable ELUA.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMDEBUG\0000\Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMMEMCTL\0000\Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIC32P\0000\Control\
    • *NewlyCreated*: 0x00000000
    • ActiveService: "aic32p"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIC32P\0000\
    • Service: "aic32p"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000000
    • Class: "LegacyDriver"
    • ClassGUID: "{GUID}"
    • DeviceDesc: "aic32p"
    • Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIC32P\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control\
    • *NewlyCreated*: 0x00000000
    • ActiveService: "IpFilterDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\
    • Service: "IpFilterDriver"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000000
    • Class: "LegacyDriver"
    • ClassGUID: "{GUID}"
    • DeviceDesc: "IP Traffic Filter Driver"
    • Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum\
    • 0: "Root\LEGACY_IPFILTERDRIVER\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%USERPROFILE%\Desktop\RaidenII.exe: "%USERPROFILE%\Desktop\RaidenII.exe:*:Enabled:ipsec"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%USERPROFILE%\Desktop\procexp.exe: "%USERPROFILE%\Desktop\procexp.exe:*:Enabled:ipsec"
The above registry entries confirm that the virus inject its code into system process and creates a firewall exception for the injected files.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic32p\Enum\
    • 0: "Root\LEGACY_AIC32P\0000"
    • : 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic32p\Security\Security: [Binary Data]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic32p\
    • Type: 0x00000001
    • Start: 0x00000003
    • ErrorControl: 0x00000001
    • ImagePath: "\??\%WINDIR%\system32\drivers\hilkno.sys"
    • DisplayName: "aic32p"
The above registry key values confirms that the virus create service as “aic32p”.
  • HKey_Users\S-1-5-21-1844237615-1085031214-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
The above registry key value confirms that the virus tries to disable GlobalUseroffline settings for IE.

The following are the registry keys have been deleted from the system in order to disable the Safe boot Mode

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{GUID}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{GUID}

Symptoms

Presence of above mentioned files and registry activities.

Method of Infection

W32/Sality.gen.b searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image. 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants