Win32/Sality

at Friday, November 06, 2009

Re-posted from viruscontra
Hi, I just a but try yo do better than ever...
Sality is a virus that has backdoor capabilities and executes keylogger and may infect executable files by putting its code to host files. Once it is installed, Sality virus will infect local executable files and delete all files that are associated with anti-virus and anti-spyware applications, as well as firewalls. After this, Sality runs a keylogging module that gathers all system and network information, records passwords and login names, steals all sensitive information and sends all this collected data to a predefined email address.
In addition, Sality opens a backdoor that allows the remote attacker to get the full control over the infected computer and this places any financial or banking information stored on your computer in severe jeopardy and represents a serious security risk.
Also known as: W32/Sality (McAfee), Virus.Win32.Sality.aa (Kaspersky), W32.Sality.AE (Symantec), Virus:Win32/Sality.AM (MS OneCare), PE_SALITY.EM (Trend)


W32/Sality is a parasitic virus that infects Win32 PE executable files. It is a polymorphic virus that attempts to spread by file infection. It looks for Win32 PE executable files with .EXE or .SCR file extensions, and infects any such files found on the system by appending the virus body to the host file.
The virus also attempts to propagate by copying itself with a random filename to network drives, including all removable disk drives. Sality.AA also creates an "autorun.inf" file in these drives so that the virus executes when it is accessed.
Upon execution, it drops the following files into the Windows system directory:
  • %Windir%\System32\Hdaudprop.dll
  • %Windir%\System32\Hdaudpropres.dll
  • %Windir%\System32\Hdaudpropshortcut.exe
  • %Windir%\System32\drivers\Hdaudbus.sys
  • %Windir%\System32\drivers\Hdaudio.sys
  • %Windir%\System32\drivers\portcls.sys
Creates the following registry keys:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
  • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
and it downloads further malware from the following domains:
  1. bpowqbvcfds677.info
  2. aapowqbvcfds677.info
  3. abpowqbvcfds677.info
  4. d98dc9.bpowqbvcfds677.info
  5. bmakemegood24.com
  6. d99395.bmakemegood24.com
  7. bbeakemegood24.com
  8. bperfectchoice1.com
  9. d998b6.bperfectchoice1.com
  10. cbparfectchoice1.com
  11. cbpbrfectchoice1.com
  12. bcash-ddt.net
  13. d9aab7.bcash-ddt.net
  14. pzrk.ru
  15. dbcabh-ddt.net
  16. bddr-cash.net
  17. ebddrbcash.net
Too long, huh? I thing enough for this time, maybe next time we’ll give the rest for you. Leave your comment for better post future…
Say thanks to viruscontra please!
OTHER USEFUL POST :

1 comments:

  1. Bang DelNovember 8, 2009 at 1:50 AM

    Virus Win32/Sality paling sering nongkrong di komputer. Untung ada tips ini. Thanks for saring Mr. Galih

    ReplyDelete

Subscribe to: Post Comments (Atom)