The List of Changed Registry Value That Caused Win32/sality.

Modified from Viruscontra
In my previous post (Win32/sality), I've introduced you to win32/sality. Now, I'll tell you some of registry values that may changed by Win32/sality .
Focus your attention on the following notes:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
The virus also removes entries in the following registry sub key:

  1. HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  5. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  6. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  7. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Your firewall system is bypassed by Sality.AA through execution the command netsh firewall set opmode disable
It may also disable settings related to system security. It does this by adding the following registry entries:
  1. HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
  2. HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
  3. HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
  4. HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
  5. HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
  6. HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
  7. HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
  8. HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
  9. HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
  10. HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
  11. HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
  12. HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 2, this registry entry used by the virus to hide folders and files so they're not displayed in Windows Explorer view.
It also disables Registry Editor and Task Manager by adding these registry entries:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = dword:00000001
Sality.AA terminates all anti virus regular services running on the system, and prevent access to Websites that contain its names, like sality_remove, viruscan, sophos, mcafee,, kaspersky, onlinescan, and other thing like that...
The device driver is not dropped and installed onto the system unless there is an active internet connection.
The virus may prevent execution of applications that perform integrity self-check as a result of them being infected.
So my friend the easiest way to tackle this virus is to Remove above mention Virus Entry Doors from registry and delete those .DLL files from system.
I'll give you the way to do it on my next post...
Bravo blogger Indonesia
Please say thanks to Viruscontra

No comments:

Post a Comment