Home / malware

PDF

Virus:Win32/Sality.AU

First posted on 15 February 2019.
Source: Microsoft

Aliases :

Virus:Win32/Sality.AU is also known as Virus.Win32.Sality.ag, W32/Sality.BD, Win32.Sality.BK, W32/Sality.AG, Win32.Sality.3, Win32/Sality.NBA, Virus.Win32.Sality, W32/Sality.AA, Mal/Sality-D, Virus.Win32.Sality.at, W32.Sality.AE, PE_SALITY.BA-O.

Explanation :

Virus:Win32/Sality.AU is a virus that infects executable files. It is known to be dropped in the computer by Worm:Win32/Sality.AU. It also spreads itself to removable and remote drives.  Virus:Win32/Sality.AU disables certain system processes. It also lowers the computer's security by changing firewall settings, terminates security-related processes and services, and disables monitoring software and System Restore. Installation Virus:Win32/Sality.AU creates the following mutex  op1mutx9   It also creates the following registry entry as part of its installation routine:  Adds value: "session" With data: "" To subkey : HKCUSOFTWAREntrp  It checks the default "system.ini" file if it has the section "[fje32a1s]" with the key "minr". If it doesn't, Virus:Win32/Sality.AU writes this as part of its installation routine.  Virus:Win32/Sality.AU creates and executes the following file:  %TEMP%.exe - also detected as Virus:Win32/Sality.AU For example: %TEMP% 2ff07.exe Spreads via... File infection   Virus:Win32/Sality.AU injects code into all running processes to load and run itself. It infects Windows executable files with the following extensions:  .EXE .SCR   The virus seeks other target files by reading file names found in the following registry subkeys:  HKCUSoftwareMicrosoftWindowsShellNoRoamMUICache HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionRun   Virus:Win32/Sality.AU does not infect files protected by the Windows System File Checker (SFC) or if the file name starts with one of the following strings:  A2CMD.   A2FREE   A2GUARD A2SERVICE.   ADVCHK. AGB. AHPROCMONSERVER. AIRDEFENSE   AKRNL.   ALERTSVC AMON. ANTIVIR APVXDWIN. ARMOR2NET.   ASHAVAST. ASHDISP. ASHENHCD. ASHMAISV. ASHPOPWZ. ASHSERV. ASHSIMPL. ASHSKPCK. ASHWEBSV. ASWSCAN ASWUPDSV. AVAST AVCENTER AVCIMAN. AVCONSOL. AVENGINE. AVESVC. AVEVAL. AVEVL32. AVGAM AVGCC. AVGCC32. AVGCHSVX. AVGCSRVX. AVGCTRL. AVGEMC. AVGFWSRV. AVGNSX. AVGNT.   AVGNTMGR AVGSERV. AVGTRAY. AVGUARD. AVGUPSVC. AVGWDSVC. AVINITNT. AVIRA AVKSERV. AVKSERVICE. AVKWCTL. AVP. AVP32.   AVPCC.   AVPM. AVSCHED32.   AVSERVER. AVSYNMGR. AVWUPD32. AVWUPSRV. AVXMONITOR   AVXQUAR. AVZ. BDSWITCH. BITDEFENDER BLACKD. BLACKICE. CAFIX.   CCEVTMGR. CCSETMGR. CFIAUDIT. CFP. CFPCONFIG.   CLAMTRAY. CLAMWIN. CUREIT   DEFENDERDAEMON   DEFWATCH. DRVIRUS. DRWADINS. DRWEB DWEBIO   DWEBLLIO EKRN. ESCANH95. ESCANHNT. EWIDOCTRL.   EZANTIVIRUSREGISTRATIONCHECK. F-AGNT95. F-SCHED. F-STOPW. FAMEH32. FILEMON FIREWALL FORTICLIENT FORTISCAN FORTITRAY.   FPAVSERVER. FPROTTRAY.   FPWIN.   FRESHCLAM.   FSAV32. FSAVGUI. FSBWSYS. FSDFWD. FSGK32. FSGK32ST. FSGUIEXE. FSMA32. FSMB32. FSPEX.   FSSM32. GCASDTSERV. GCASSERV. GIANTANTISPYWARE GUARDGUI. GUARDNT. GUARDXKICKOFF.   GUARDXSERVICE.   HREGMON. HRRES.   HSOCKPE. HUPDATE. IAMAPP. IAMSERV. ICLOAD95. ICLOADNT. ICMON.   ICSSUPPNT.   ICSUPP95. ICSUPPNT. INETUPD. INOCIT. INORPC. INORT.   INOTASK. INOUPTNG. IOMON98. IPTRAY. ISAFE.   ISATRAY. KAV. KAVMM.   KAVPF.   KAVPFW. KAVSTART. KAVSVC. KAVSVCUI. KMAILMON. MAMUTU   MCAGENT. MCMNHDLR. MCREGWIZ. MCUPDATE. MCVSSHLD. MINILOG. MYAGTSVC. MYAGTTRY. NAVAPSVC. NAVAPW32. NAVLU32. NAVW32. NEOWATCHLOG. NEOWATCHTRAY. NISSERV NISUM.   NMAIN.   NOD32 NORMIST. NOTSTART. NPAVTRAY. NPFMNTOR. NPFMSG. NPROTECT. NSCHED32. NSMDTR. NSSSERV. NSSTRAY. NTOS. NTRTSCAN. NTXCONFIG.   NUPGRADE. NVCOD.   NVCTE.   NVCUT.   NWSERVICE.   OFCPFWSVC.   ONLINENT. OP_MON. OPSSVC. OUTPOST PAVFIRES. PAVFNSVR. PAVKRE. PAVPROT. PAVPROXY. PAVPRSRV. PAVSRV51. PAVSS.   PCCGUIDE. PCCIOMON. PCCNTMON. PCCPFW. PCCTLCOM. PCTAV.   PERSFW. PERTSK. PERVAC. PESTPATROL   PNMSRV. PREVSRV. PREVX PSIMSVC. QHONLINE. QHONSVC. QHSET.   QHWSCSVC. QUHLPSVC. RFWMAIN. RTVSCAN. RTVSCN95. SALITY   SAPISSVC. SAVADMINSERVICE. SAVMAIN. SAVPROGRESS. SAVSCAN. SCANNINGPROCESS. SCANWSCS. SDHELP. SDRA64. SHSTAT. SITECLI. SPBBCSVC. SPHINX. SPIDERCPL.   SPIDERML. SPIDERNT. SPIDERUI. SPYBOTSD. SPYXX.   SS3EDIT. STOPSIGNAV. SWAGENT. SWDOCTOR. SWNETSUP. SYMLCSVC. SYMPROXYSVC. SYMSPORT. SYMWSC. SYNMGR. TAUMON. TBMON.   TMLISTEN. TMNTSRV. TMPROXY. TNBUTIL. TRJSCAN. TROJAN. VBA32ECM. VBA32IFS. VBA32LDR. VBA32PP3. VBSNTW. VCRMON. VPTRAY. VRFWSVC. VRMONNT. VRMONSVC. VRRW32. VSECOMR. VSHWIN32. VSMON.   VSSERV. VSSTAT. WATCHDOG. WEBSCANX. WINSSNOTIFY. WRCTRL. XCOMMSVR. ZLCLIENT ZONEALARM   Removable and remote drives Virus:Win32/Sality.AU copies the infected file to the root of all remote and removable drives as one of the following:  .pif .exe   It then writes an Autorun configuration file named "autorun.inf" pointing to the virus copy. When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically. Payload Connects to a remote server Virus:Win32/Sality.AU connects to a remote server by connecting to the following website:  cdeinaa.com/sm.php?pizda1=angel   Drops other malware Virus:Win32/Sality.AU drops a device driver as the following file:  %SystemRoot%system32driversamsint32.sys - detected as Trojan:WinNT/Sality  Prevents booting Windows in safe mode Win32/Sality.AU recursively deletes all registry values and data under the following registry subkeys, preventing the user from starting Windows in safe mode:  HKLMSystemCurrentControlSetControlSafeBoot HKCUSystemCurrentControlSetControlSafeBoot   Disables security monitoring software Win32/Sality.AU reads the system service descriptor table (SSDT) directly from the NT kernel ("ntoskrnl.exe") and passes the original SSDT to a buffer created by its dropped driver component (Trojan:WinNT/Sality).   System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior may block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.  Deletes security-related files This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:  .AVC .VDB   Terminates security-related services Win32/Sality.AU attempts to stop and delete the following security-related services:  Acssrv Alg Amon Monitor Aswfsblk Aswmon2 Aswrdr Aswsp Aswtdi Aswupdsv Av Engine Avast! Antivirus Avast! Asynchronous Virus Monitor Avast! Iavs4 Control Service Avast! Mail Scanner Avast! Self Protection Avast! Web Scanner Avg E-Mail Scanner Avira Antivir Premium Guard Avira Antivir Premium Mailguard Avira Antivir Premium Webguard Avp Agnitum Client Security Service Bglivesvc Blackice Caisafe Ccevtmgr Ccproxy Ccsetmgr Cmdagent Cmdguard Comodo Firewall Pro Sandbox Driver Eset Http Server Eset Personal Firewall Eset Service F-Prot Antivirus Update Monitor F-Secure Gatekeeper Handler Starter Fsbwsys Fsdfwd Fsma Google Online Services Inorpc Inort Inotask Issvc Klif Kpf4 Lavasoftfirewall Livesrv Mcafeeframework Mcshield Mctaskmanager Mpssvc Navapsvc Nod32Krn Npfmntor Nscservice Outpost Firewall Main Module Outpostfirewall Pavfires Pavfnsvr Pavprot Pavprsrv Pavsrv Pcctlcom Personalfirewal Prevsrv Protoport Firewall Service Psimsvc Rapapp Savroam Sharedaccess Smcservice Sndsrvc Spbbcsvc Spider Fs Monitor For Windows Nt Spider Guard File System Monitor Spidernt Symantec Antivirus Symantec Antivirus Definition Watcher Symantec Core Lc Symantec Password Validation Tmntsrv Tmpfw Umxagent Umxcfg Umxlu Umxpol Vsmon Vsserv Webrootdesktopfirewalldataservice Webrootfirewall Wscsvc Xcomm   Terminates security-related processes Win32/Sality.AU attempts to terminate security-related processes that contain any of the following strings:  A2CMD. A2FREE A2GUARD A2SERVICE. ADVCHK. AGB. AHPROCMONSERVER. AIRDEFENSE AKRNL. ALERTSVC AMON. ANTIVIR APVXDWIN. ARMOR2NET. ASHAVAST. ASHDISP. ASHENHCD. ASHMAISV. ASHPOPWZ. ASHSERV. ASHSIMPL. ASHSKPCK. ASHWEBSV. ASWSCAN ASWUPDSV. AVAST AVCENTER AVCIMAN. AVCONSOL. AVENGINE. AVESVC. AVEVAL. AVEVL32. AVGAM AVGCC. AVGCC32. AVGCHSVX. AVGCSRVX. AVGCTRL. AVGEMC. AVGFWSRV. AVGNSX. AVGNT. AVGNTMGR AVGSERV. AVGTRAY. AVGUARD. AVGUPSVC. AVGWDSVC. AVINITNT. AVIRA AVKSERV. AVKSERVICE. AVKWCTL. AVP. AVP32. AVPCC. AVPM. AVSCHED32. AVSERVER. AVSYNMGR. AVWUPD32. AVWUPSRV. AVXMONITOR AVXQUAR. AVZ. BDSWITCH. BITDEFENDER BLACKD. BLACKICE. CAFIX. CCEVTMGR. CCSETMGR. CFIAUDIT. CFP. CFPCONFIG. CLAMTRAY. CLAMWIN. CUREIT DEFENDERDAEMON DEFWATCH. DRVIRUS. DRWADINS. DRWEB DWEBIO DWEBLLIO EKRN. ESCANH95. ESCANHNT. EWIDOCTRL. EZANTIVIRUSREGISTRATIONCHECK. F-AGNT95. F-SCHED. F-STOPW. FAMEH32. FILEMON FIREWALL FORTICLIENT FORTISCAN FORTITRAY. FPAVSERVER. FPROTTRAY. FPWIN. FRESHCLAM. FSAV32. FSAVGUI. FSBWSYS. FSDFWD. FSGK32. FSGK32ST. FSGUIEXE. FSMA32. FSMB32. FSPEX. FSSM32. GCASDTSERV. GCASSERV. GIANTANTISPYWARE GUARDGUI. GUARDNT. GUARDXKICKOFF. GUARDXSERVICE. HREGMON. HRRES. HSOCKPE. HUPDATE. IAMAPP. IAMSERV. ICLOAD95. ICLOADNT. ICMON. ICSSUPPNT. ICSUPP95. ICSUPPNT. INETUPD. INOCIT. INORPC. INORT. INOTASK. INOUPTNG. IOMON98. IPTRAY. ISAFE. ISATRAY. KAV. KAVMM. KAVPF. KAVPFW. KAVSTART. KAVSVC. KAVSVCUI. KMAILMON. MAMUTU MCAGENT. MCMNHDLR. MCREGWIZ. MCUPDATE. MCVSSHLD. MINILOG. MYAGTSVC. MYAGTTRY. NAVAPSVC. NAVAPW32. NAVLU32. NAVW32. NEOWATCHLOG. NEOWATCHTRAY. NISSERV NISUM. NMAIN. NOD32 NORMIST. NOTSTART. NPAVTRAY. NPFMNTOR. NPFMSG. NPROTECT. NSCHED32. NSMDTR. NSSSERV. NSSTRAY. NTOS. NTRTSCAN. NTXCONFIG. NUPGRADE. NVCOD. NVCTE. NVCUT. NWSERVICE. OFCPFWSVC. ONLINENT. OP_MON. OPSSVC. OUTPOST PAVFIRES. PAVFNSVR. PAVKRE. PAVPROT. PAVPROXY. PAVPRSRV. PAVSRV51. PAVSS. PCCGUIDE. PCCIOMON. PCCNTMON. PCCPFW. PCCTLCOM. PCTAV. PERSFW. PERTSK. PERVAC. PESTPATROL PNMSRV. PREVSRV. PREVX PSIMSVC. QHONLINE. QHONSVC. QHSET. QHWSCSVC. QUHLPSVC. RFWMAIN. RTVSCAN. RTVSCN95. SALITY SAPISSVC. SAVADMINSERVICE. SAVMAIN. SAVPROGRESS. SAVSCAN. SCANNINGPROCESS. SCANWSCS. SDHELP. SDRA64. SHSTAT. SITECLI. SPBBCSVC. SPHINX. SPIDERCPL. SPIDERML. SPIDERNT. SPIDERUI. SPYBOTSD. SPYXX. SS3EDIT. STOPSIGNAV. SWAGENT. SWDOCTOR. SWNETSUP. SYMLCSVC. SYMPROXYSVC. SYMSPORT. SYMWSC. SYNMGR. TAUMON. TBMON. TMLISTEN. TMNTSRV. TMPROXY. TNBUTIL. TRJSCAN. TROJAN. VBA32ECM. VBA32IFS. VBA32LDR. VBA32PP3. VBSNTW. VCRMON. VPTRAY. VRFWSVC. VRMONNT. VRMONSVC. VRRW32. VSECOMR. VSHWIN32. VSMON. VSSERV. VSSTAT. WATCHDOG. WEBSCANX. WINSSNOTIFY. WRCTRL. XCOMMSVR. ZLCLIENT ZONEALARM   Additionally, Virus:Win32/Sality.AU kills processes, which have following modules loaded:  DWEBLLIO DWEBIO   Modifies Windows settings Virus:Win32/Sality.AU modifies the registry to disable Windows Registry Editor: Adds value: "DisableRegistryTools" With data: "1" In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciessystem  The virus also modifies the registry to prevent viewing files with hidden attributes: Adds value: "Hidden" With data: "2" In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer  Lowers computer security Virus:Win32/Sality.AU modifies the registry to bypass the Windows firewall: Adds value: ":*:enabled:ipsec" With data: "" In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList  The virus modifies other registry data that lower the security of the infected computer. It modifies the following registry data to change Windows Security Center and Windows Firewall settings.  Adds value: "AntiVirusOverride" With data: "1" In subkey: HKLMSOFTWAREMicrosoftSecurity Center  Adds value: "AntiVirusOverride" With data: "1" In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc  Adds value: "AntiVirusDisableNotify" With data: "1" In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc  Adds value: "FirewallOverride" With data: "1" In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc  Adds value: "FirewallDisableNotify" With data: "1" In subkey: HKLMSOFTWAREMicrosoftSecurity CenterSvc  Adds value "EnableFirewall" With data: "0" In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile  Adds value "GlobalUserOffline" With data: "0" In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings  Adds value: "EnableLUA" With data: "0" In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem  Downloads arbitrary files Virus:Win32/Sality.AU attempts to download files from remote servers to the local drive, then decrypts and executes the downloaded files. We have observed the virus to connect to the following servers:  89.119.67.154 kukutrustnet777.info kukutrustnet888.info kukutrustnet987.info www.klkjwre9fqwieluoi.info   At the time of this writing, the requested files are unavailable for analysis.  Analysis by Marianne Mallen

Last update 15 February 2019

 

TOP