Virus:Win32/Sality.T is a file infector that targets files with extensions .SCR or .EXE. This virus may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
Installation
Upon execution, Virus:Win32/Sality.T drops its malicious code as the following files:
- <system folder>\wmdrtc32.dll
- <system folder>\wmdrtc32.dl_
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then creates the mutex "_kuku_joker_v4.00" to prevent more than one instance of itself running in memory at one time.
Spreads Via...
Infecting Files
Virus:Win32/Sality.T targets all files in drive C:, beginning with the root folder, that have file extensions of either .EXE or .SCR. It infects found files by adding a new code section to the host and inserting its malicious code into this newly added section.
Payload
Deletes Security-Related Files
This virus deletes security data files including detection patterns or signatures that have the following file extensions:
.AVC
.KEY
.VDB
Terminates Security-Related Processes
This virus terminates processes that begin with any of the following strings, which are usually associated with security applications:
_AVPM.
ADVCHK.
AHNSD.
ALOGSERV
ANTI-TROJAN.
APVXDWIN.
ARMOR2NET.
ASHDISP.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
AUTOTRACE.
AVCIMAN.
AVENGINE.
AVGAMSVR.
AVGCC.
AVGFWSRV.
AVGNT.
AVGNTMGR
AVINITNT.
AVKSERV.
AVKWCTL.
AVPUPD.
AVSCHED32.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BDNEWS.
BDOESRV.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCPROXY.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95CF.
CLEANER.
CLEANER3.
CLISVC.
CMGRDIAN.
DOORS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
F-AGNT95.
FCH32.
FIRESVC.
FIREWALL.
FPAVUPDM.
F-PROT95.
FSAVGUI.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSM32.
FSMB32.
FSPEX.
F-STOPW.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDNT.
IAMSERV.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INORPC.
INORT.
IOMON98.
ISSVC.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
LOCKDOWN2000.
LOGWATNT.
LUALL.
MCAGENT.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NDD32.
NISSERV
NISUM.
NORMIST.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NTXCONFIG.
NVC95.
NVCOD.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
QHONSVC.
QHWSCSVC.
RAVMON.
RAVTIMER.
REALMON.
RFWMAIN.
RTVSCAN.
RTVSCN95.
SAVADMINSERVICE.
SCANNINGPROCESS.
SHSTAT.
SITECLI.
SPHINX.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SWAGENT.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
TCA.
TCM.
TDS-3.
TEATIMER.
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VRFWSVC.
VRRW32.
VSECOMR.
VSMON.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WINAW32.
WINSS.
XCOMMSVR.
ZATUTOR.
ZONEALARM.
Terminates Services
This virus terminates services that have the following names, which are usually associated with antivirus applications:
aswUpdSv
avast! Antivirus
avast! Mail Scanner
BlackICE
ccSetMgr
fsbwsys
fshttps
InoTask
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
Outpost Firewall main module
PAVFIRES
PavPrSrv
PREVSRV
ProtoPort Firewall service
RapApp
SmcService
SNDSrvc
Symantec Core LC
Tmntsrv
UmxAgent
VSSERV
AVP
Downloads Files
This virus may connect to remote websites to download and execute additional and possibly malicious programs. It checks for Internet access by attempting a connection with the domain www.microsoft.com. If a successful connection is made, Win32/Sality.T may connect to pages within the website "kukutrustnet666.info" and attempt to download files.
Downloaded files are saved and run in the %TEMP% folder.
Analysis by Francis Allan Tan Seng