Installation
Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names:
- <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
- <system folder>\wmdrtc32.dl_ - this is a compressed copy of the virus code
Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.
Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.
We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm.
Spreads through
File infection
Win32/Sality usually targets all files in drive C: that have .exe or .scr file extensions, beginning with the root folder, and injects its code into them. Infected files increase in size by a varying amount.
The virus also targets programs that run at each Windows start and frequently used applications by checking the following registry keys:
- HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32/Sality avoids infecting the following categories of files so that it remains hidden:
- Files protected by System File Checker (SFC)
- Files under the %SystemRoot% folder
- The executable files of several antivirus and firewall products; in particular it avoids infecting files with names containing any of the following words:
_AVPM
A2GUARD
AAVSHIELD
ADVCHK
AHNSD
AIRDEFENSE
ALERTSVC
ALOGSERV
ALSVC
AMON
ANTI-TROJAN
ANTIVIR
APVXDWIN
ARMOR2NET
ASHAVAST
ASHDISP
ASHENHCD
ASHMAISV
ASHPOPWZ
ASHSERV
ASHSIMPL
ASHSKPCK
ASHWEBSV
ASWUPDSV
ATCON
ATUPDATER
ATWATCH
AVAST
AVCENTER
AVCIMAN
AVCONSOL
AVENGINE
AVESVC
AVGAMSVR
AVGCC
AVGCC32
AVGCTRL
AVGEMC
AVGFWSRV
AVGNT
AVGNTDD
AVGNTMGR
AVGSERV
AVGUARD
AVGUPSVC
AVINITNT
AVKSERV
AVKSERVICE
AVKWCTL
AVP
AVP32
AVPCC
AVPM
AVSCHED32
AVSERVER
AVSYNMGR
AVWUPD32
AVWUPSRV
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVZ
BDMCON
BDNEWS
BDSUBMIT
BDSWITCH
BLACKD
BLACKICE
CAFIX
CCAPP
CCEVTMGR
CCPROXY
CCSETMGR
CFIAUDIT
CLAMTRAY |
CLAMWIN
CLAW95
CUREIT
DEFWATCH
DRVIRUS
DRWADINS
DRWEB32W
DRWEBSCD
DRWEBUPW
DWEBIO
DWEBLLIO
EKRN
ESCANH95
ESCANHNT
EWIDOCTRL
EZANTIVIRUSREGISTRATIONCHECK
F-AGNT95
FAMEH32
FILEMON
FIRESVC
FIRETRAY
FIREWALL
FPAVUPDM
F-PROT95
FRESHCLAM
FSAV32
FSAVGUI
FSBWSYS
F-SCHED
FSDFWD
FSGK32
FSGK32ST
FSGUIEXE
FSMA32
FSMB32
FSPEX
FSSM32
F-STOPW
GCASDTSERV
GCASSERV
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER
GUARDGUI
GUARDNT
HREGMON
HRRES
HSOCKPE
HUPDATE
IAMAPP
IAMSERV
ICLOAD95
ICLOADNT
ICMON
ICSSUPPNT
ICSUPP95
ICSUPPNT
IFACE
INETUPD
INOCIT
INORPC
INORT
INOTASK
INOUPTNG
IOMON98
ISAFE
ISATRAY
ISRV95
ISSVC
KAV
KAVMM
KAVPF
KAVPFW
KAVSTART
KAVSVC
KAVSVCUI |
KMAILMON
KPFWSVC
MCAGENT
MCMNHDLR
MCREGWIZ
MCUPDATE
MCVSSHLD
MINILOG
MYAGTSVC
MYAGTTRY
NAVAPSVC
NAVAPW32
NAVLU32
NAVW32
NEOWATCHLOG
NEOWATCHTRAY
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPAVTRAY
NPAVTRAY
NPFMNTOR
NPFMSG
NPROTECT
NSCHED32
NSMDTR
NSSSERV
NSSTRAY
NTOS
NTRTSCAN
NTXCONFIG
NUPGRADE
NVCOD
NVCTE
NVCUT
NWSERVICE
OFCPFWSVC
OP_MON
OUTPOST
PAVFIRES
PAVFNSVR
PAVKRE
PAVPROT
PAVPROXY
PAVPRSRV
PAVSRV51
PAVSS
PCCGUIDE
PCCIOMON
PCCNTMON
PCCPFW
PCCTLCOM
PCTAV
PERSFW
PERTSK
PERVAC
PNMSRV
POP3TRAP
POPROXY
PREVSRV
PSIMSVC
QHM32
QHONLINE
QHONSVC
QHPF
QHWSCSVC
RAVMON
RAVTIMER
RFWMAIN
RTVSCAN
RTVSCN95
RULAUNCH |
SALITY
SAVADMINSERVICE
SAVMAIN
SAVPROGRESS
SAVSCAN
SCANNINGPROCESS
SDHELP
SHSTAT
SITECLI
SPBBCSVC
SPHINX
SPIDERCPL
SPIDERML
SPIDERNT
SPIDERUI
SPYBOTSD
SPYXX
SS3EDIT
STOPSIGNAV
SWAGENT
SWDOCTOR
SWNETSUP
SYMLCSVC
SYMPROXYSVC
SYMSPORT
SYMWSC
SYNMGR
TAUMON
TBMON
TFAK
THAV
THSM
TMAS
TMLISTEN
TMNTSRV
TMPFW
TMPROXY
TNBUTIL
TRJSCAN
UP2DATE
VBA32ECM
VBA32IFS
VBA32LDR
VBA32PP3
VBSNTW
VCHK
VCRMON
VETTRAY
VIRUSKEEPER
VPTRAY
VRFWSVC
VRMONNT
VRMONSVC
VRRW32
VSECOMR
VSHWIN32
VSMON
VSSERV
VSSTAT
WATCHDOG
WEBPROXY
WEBSCANX
WEBTRAP
WGFE95
WINAW32
WINROUTE
WINSS
WINSSNOTIFY
WRCTRL
XCOMMSVR
ZAUINST
ZLCLIENT
ZONEALARM |
Removable drives and network shares
Some Sality variants can infect legitimate files which are then moved to available removable drives and shared network folders.
One of the following legitimate files, if it exists, is copied into the %TEMP% folder, then infected:
The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:
- \<random file name>.pif
- \<random file name>.exe
- \<random file name>.cmd
The Sality variant also creates an autorun.inf file in the root of all these drives that points to the infected file. When a drive is accessed from a PC supporting the Autorun feature, the file is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from PC to PC.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Deletes security-related files
Sality variants usually try to delete files related to antivirus updates, like those with the following file extensions:
Some variants, like Virus:Win32/Sality.G, try to delete files that have the following strings in their file names:
- AHEAD
- ALER
- ANDA
- ANTI 0
- CLEAN
- GUAR
- OUTP
- SCAN
- TOTAL
- TREN
- TROJ
- ZONE
Ends or closes security-related processes
Win32/Sality commonly searches for and tries to end or close security applications, particularly antivirus and personal firewall programs. It tries to end or close security applications containing the same strings as the files it avoids infecting in the Spreads through... section.
It also searches for and tries to close processes that contain or load modules that have the following substrings:
It may also close the following security-related services:
acssrv
Agnitum Client Security Service
ALG
Amon monitor
aswFsBlk
aswMon2
aswRdr
aswSP
aswTdi
aswUpdSv
AV Engine
avast! Antivirus
avast! Asynchronous Virus Monitor
avast! iAVS4 Control Service
avast! Mail Scanner
avast! Self Protection
avast! Web Scanner
AVG E-mail Scanner
Avira AntiVir Premium Guard
Avira AntiVir Premium MailGuard
Avira AntiVir Premium WebGuard
AVP
avp1
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
cmdAgent |
cmdGuard
COMODO Firewall Pro Sandbox Driver
Eset HTTP Server
Eset Personal Firewall
Eset Service
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
FSMA
Google Online Services
InoRPC
InoRT
InoTask
ISSVC
KLIF
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv |
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SavRoam
SmcService
SNDSrvc
SPBBCSvc
SpIDer FS Monitor for Windows NT
SpIDer Guard File System Monitor
SPIDERNT
Symantec AntiVirus
Symantec AntiVirus Definition Watcher
Symantec Core LC
Symantec Password Validation
tcpsr
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM |
Blocks access to security-related domains
Some Win32/Sality variants block access to any URL containing any of these words or phrases:
- agnmitum
- bitdefender
- cureit
- drweb
- eset.com
- etrust.com
- ewido
- f-secure
- kaspersky
- mcafee
- onlinescan.
- pandasoftware
- sality-remov
- sophos
- spywareguide
- spywareinfo
- symantec
- trendmicro
- upload_virus
- virusinfo
- virusscan
- virustotal
- windowsecurity
Steals sensitive information
Some Win32/Sality variants can steal passwords you've stored on your PC and can log keystrokes you enter. For example, in the wild we have observed Virus:Win32/Sality.AT downloading and running TrojanSpy:Win32/Keatep.B, which steals FTP server credentials.
We've also observed Virus:Win32/Sality.G dropping a component - Virus:Win32/Sality.G.dll - that logs keystrokes and steals passwords and information about your PC, like the domain it is connected to and the PC's name, and sends it to a remote server, like:
- kukunet11581q.com
- rus0396kuku.com
Downloads and runs other files
Win32/Sality variants usually try to download and run other files. They may first try to connect to www.microsoft.com to check for Internet connectivity. These files may include other malware, like TrojanSpy:Win32/Keatep.B.
The files are downloaded into the %TEMP% folder and decrypted using one of several hardcoded passwords, which include:
- GdiPlus.dll
- kukutrusted!.
The following is a list of domains to which Win32/Sality might connect to and download files from:
- bpfq02.com
- f5ds1jkkk4d.info
- g1ikdcvns3sdsal.info
- h7smcnrwlsdn34fgv.info
- hkukud123ncs.info
- inform1ongung.info
- klkjwre77638dfqwieuoi888.info
- kukutrustnet.info
- kukutrustnet.org
- kukutrustnet777888 .info/
- lukki6nd2kdnc.info
Injects code into running processes
Most of the payload of Win32/Sality is run in the context of other processes. This makes cleaning harder and lets the malware to bypass some firewalls. To avoid multiple injections in the same process, a system-wide mutex called <process name>.exeM_<process ID>_ is created for every process in which code is injected.
Prevents Windows from booting up in Safe Mode
Win32/Sality variants recursively delete all registry values and data under the following registry subkeys, preventing you from starting Windows in Safe Mode:
- HKCU\System\CurrentControlSet\Control\SafeBoot
- HKLM\System\CurrentControlSet\Control\SafeBoot
Drops other components
Some variants of Win32/Sality drop a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality. Its purpose is to:
- Close or end security-related processes - Trojan:WinNT/Sality ends processes to bypass the self-protection of some antivirus programs
- Block access to security-related websites - Trojan:WinNT/Sality denies access to a list of hardcoded URLs. This technique works only on Windows XP, Windows 2003, and Windows 2000
- Disable SSDT hooks - Trojan:WinNT/Sality removes SSDT hooks to prevent certain security products from working properly; SSDT hooks are often used by security programs to function properly
Changes %SystemRoot%\system.ini
Win32/Sality adds the following section to the configuration file %SystemRoot%\system.ini:
[MCIDRV_VER]
DEVICEMB=<random string>
The section acts as an infection marker.
Connects to a peer-to-peer (P2P) network
PCs infected with some versions of Win32/Sality, like Virus:Win32/Sality.AT, and Virus:Win32/Sality.AU, connect to other infected PCs by joining a peer-to-peer (P2P) network. From other PCs in the P2P network, they receive URLs pointing to additional malware components.
The P2P network uses UDP connections from your PC to the network. All the messages exchanged on the P2P network are encrypted. The local UDP port number used to connect to the network is generated as a function of the PC name. At the time of analysis, we were unable to confirm that nature of the messages.
Lowers PC security
Win32/Sality variants may try to lower Windows security.
Some variants may run the following netsh command to disable the Windows Firewall:
- netsh firewall set opmode disable
Variants may also make the following changes to the registry to change or lower security settings:
- Disable User Account Control (UAC):
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
- change Windows Firewall to let Internet communication:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<Win32/Sality file name>"
With data: "<Win32/Sality file name>:*:enabled:ipsec"
- Disable Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"
- Redirect netsh event tracing session logging:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: "LogSessionName"
With data: "stdout"
- Turnsoff monitoring the installed antivirus software from within the Microsoft Security Center:
In subkeys:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1"
- Turn off security alerts in Windows Security Center:
In subkeys:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets values:
FirewallDisableNotify
UacDisableNotify
UpdatesDisableNotify"
With data: "1"
- Disable Windows Task Manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"
- Turn "Offline Mode" off in Microsoft Internet Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "GlobalUserOffline"
With data: "0"
- Let hidden files remain hidden:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
- Prevent access to registry editing tools like regedit:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
Further reading
Related encyclopedia entries
Analysis by Hamish O'Dea, Edgardo Diaz Jr, and Horea Coroiu
