Home / malware Win32.Sality.OG
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Sality.OG is also known as Win32/Sality.AH(Panda, McAFee.
Explanation :
The virus is a polymorphic file infector which modifies executable files (.exe and .scr) appending its encripted body at the end of files in a newly created section. To reach the execution of this the original code from entry point its also repleaced with polymorphics sequences wich held in the decryption routine.The icon of infected file is not changed.When is launched folowing actions will take place.
Modifies memory of Explorer.exe process hooking some APIs used on files system accessing.
To hide itself a rootkit is dropped: %System%drivers[random_name].sys. The file is detected by Bitdefender as Win32.Sality.OH. A registry key pointing to the driver is added:
[HKLMSystemCurrentControlServicesasc3360pr]
[...]ImagePath=[path_to_dropped_rootkit]
DisplayName = asc3360pr [...]
To overwrite Show Hidden and System Files folder option from Explorer modifies the Hidden field of
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] to value 2
Modifies folowing security specific registry keys:
[HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
"%malware_path%"="%malware_path%":*:Enabled:ipsec".
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings]
Global UserOffline = 0;
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem]
EnableLUA = 0;
Disables entering in safe mode at system boot by deleting registry key [HKLMSYSTEMCurrentControlSetControlSafeboot] a blue screen
Also to hide itself from being detected, tryes to find and stop process and services kown as a part of antiviruses or monitoring programs so will try to find them using a list of words that programs can contain. (e.g. "BDMCON.", "BDSS.", "FILEMON", "Firewall").
In %WinDir%system.ini file appends folowing:
[MCIDRV_VER]
DEVICEMB=[RANDOM_NUMBER]
Virus is spreading via Network Shares and Removable Disk Drivers. In root folder of thoes creates Autorun.inf containing command lines executed when the drive is accessed and Disable Autorun option is not seted.The command lines tries to launch an infected executable file (.exe , .pif) from same folder; name of this is composed from random chars.
Tries to download additional malware files from folowing addresses:
http://kukutrustenet777.info
http://pzrk.ru
http://www.kjwre9fqwieluoi.info
http://kjwre77638dfqwieuoi.info ...
Also try to connect to random addresses on random ports and open an UDP server on random portLast update 21 November 2011
