Home / malwarePDF  

Virus:Win32/Sality.G.dll


First posted on 18 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Sality.G.dll.

Explanation :

Threat behavior

Virus:Win32/Sality.G.dll is a member of the Win32/Sality family, a family of polymorphic file infectors that target Windows files with the extensions .scr or .exe. They may delete files with certain extensions and end or close antivirus and other security-related processes and services.

There is more information about in the Win32/Sality description.

Installation

Virus:Win32/Sality.G.dll infects files, which, once infected, are detected as Virus:Win32/Sality.G.

The virus might be dropped and loaded as %SystemRoot%\system32\wmimgr32.dll by a component of Virus:Win32/Sality.G.

Virus:Win32/Sality.G.dll is loaded into other processes by installing a message hook (a function that enables Virus:Win32/Sality.G to load itself into other processes).

It creates a mutex named "kuku_joker_v3.04" to prevent more than one instance of itself running om your computer at any one time.

Spreads via€¦

File infection / network shares

Virus:Win32/Sality.G.dll tries to infect files with extension ".EXE" and ".SCR" from local drives and network shares. However, files protected by SFC (System File Check) or those file names that contain the following (often security-related) strings will not be infected:

  • ALER
  • ANDA
  • ANTI
  • AVP
  • CLEAN
  • GUAR
  • KAV
  • NOD
  • OUTP
  • SCAN
  • TOTAL
  • TREN
  • TROJ
  • ZONE


Payload

Downloads files

In the wild, we've observed the virus contacting hackers at the following domains to download files which it then saves to the %TEMP% folder:

  • kukunet11581q.com
  • rus0396kuku.com


Steals sensitive information

Worm:Win32/Sality.G.dll has been observed stealing information, including but not limited to the following:

  • Passwords stored in your temporary Internet files
  • Information about your computer
  • Keystrokes you make


It then sends this information to a hacker at one of the domains from which it downloads files (see above).

Deletes files

Virus:Win32/Sality.G.dll tries to delete files with following extensions:

  • .avc
  • .key
  • .tjc
  • .vdb


And will also attempt to delete files that contain the following (often security-related) strings:

  • AHEAD
  • ALER
  • ANDA
  • ANTI
  • CLEAN
  • GUAR
  • OUTP
  • SCAN
  • TOTAL
  • TREN
  • TROJ
  • ZONE




Analysis by Shawn Wang, Gabriel Plouffe, Duc Nguyen & Edgardo Diaz Jr

Symptoms

System changes


The following changes to your computer may indicate the presence of Virus:Win32/Sality.G.dll:

  • Infected files may unexpectedly increase in size
  • Antimalware and firewall applications may not work properly

Last update 18 September 2013

 

TOP

Malware :

Family: