W32.Sality Overview W32.Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk. Aliases Microsoft - Virus: Win32/sality.am Kaspersky - Virus.Win32.Sality.aa Symptoms W32.Sality has the following symptoms: • Modifies System.ini files (Check for the modified date) • Services listening on the network port(s). • Unexpected network trafic to one or more of the domain(s). • No access to File Monitor. • Disables Safe mode boot • Disables regedit and taskmanager • Disables Antivirus Characteristics Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s): %Windir%\System32\Drivers\{random}.sys It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename: • WINDOWS • SYSTEM • SYSTEM32 Downloads further malware from the following domains: 1. yimg.com Us.i1.yimg.com http:.//ad.yieldmanager.com mattfoll.eu.interia.pl bjerm.mass.hc.ru It can also drop an Autorun.inf file to auto-execute itself connect/imagebrowser/view/image/794881/_original Once the sample is run, it immediately tries to hook to one of the random processes and connects to certain sites and downloads malware. connect/imagebrowser/view/image/794891/_original The screen shot above shows the virus connecting to the IP 89.111.173.114 on port 80 and establishing contact with a certain “http://bjerm.mass.hc.ru” to download the file “logoh.gif” Below is a screen shot of sality hooking on to a certain “Notepad.exe” connect/imagebrowser/view/image/794921/_original One may notice that Notepad.exe is in the running processes even when it has never been opened by the user.( Check the system tray ) If we kill this process, Sality hooks on to another process. Common Registry changes done by Sality HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools This is to disable regedit and taskmanager. In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\* Common URL’s accessed by Sality The following domains need to be blocked at the firewall. • hxxp://89.119.67.154 • hxxp://kukutrustnet777.info • hxxp://kukutrustnet888.info • hxxp://kukutrustnet987.info • hxxp://www.kjwre9fqwieluoi.info • hxxp://bpowqbvcfds677.info • hxxp://bmakemegood24.com • hxxp://bperfectchoice1.com • hxxp://bcash-ddt.net • hxxp://bddr-cash.net • hxxp://btrn-cash.net • hxxp://bmoney-frn.net • hxxp://bclr-cash.net • hxxp://bxxxl-cash.net • hxxp://balsfhkewo7i487fksd.info • hxxp://buynvf96.info • 1.yimg.com • Us.i1.yimg.com • http:.//ad.yieldmanager.com • mattfoll.eu.interia.pl • bjerm.mass.hc.ru • www.f5ds1jkkk4d.info • www.g1ikdcvns3sdsal.info • www.h7smcnrwlsdn34fgv.info • www.inform1ongung.info • www.kukutrustnet.org • www.lukki6nd2kdnc.info Rgrds, SAM