Home / malware Win32.Sality.PB
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Sality.PB.
Explanation :
When launched it performs the folowing actions:
Ensure that it will be active on each system startup by altering the registry key
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
Shell = Explorer.exe by adding it's own path.
Open an UDP server on a random port and send datagrams of various sizes and contents to random IP addresses and ports .
Include itself into the Windows Firewall's registry key which defines the list of allowed applications:
[HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]\%infected_file_path%
Try to protect itself from user detection and removal by disabling the TaskManger and RegistryEditor programs:
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]DisableTaskMgr = 1
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]DisableRegistryTools = 1
Disable some well known security related services, altering their start mode in the registry by setting the key:
[HKLMSYSTEMCurrentControlSetServices\%service_name%]Start to value 0x4 (disabled):
(ALG, VSSERV, bdss, NOD32krn, McShield, LIVESERV etc.)
Drops and launches a keylogger: %system%28463svchost.exe detected as Trojan.Kelog.Ardamax.NAL.
Tries to connect to the following URLs: (unavailable at the time of this description):
http://89.149.227.194
http://SOSiTE_AVERI_SOSiTEEE.haha
http://kjwre77638dfqwieuoi.info
http://kukutrustnet777.info
http://pacwebco.com
http://pacwebco.com
http://www.freewebtown.com
http://www.kjwre9fqwieluoi.infoLast update 21 November 2011
