Installation
Sality.AT drops a device driver as the following:
%SystemRoot%\system32\drivers\amsint32.sys
We detect this driver as Trojan:WinNT/Sality.
The virus creates and starts a system service named amsint32 to run the dropped driver component. Sality.AT communicates with the driver component to restore the system service descriptor table (SSDT).
Spreads through…
File infection
Sality.AT injects code into all running processes to load and run the virus and infect Windows executable files with extension .EXE or .SCR. The virus seeks other target files by reading file names found in the following registry subkeys:
- HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sality.AT does not infect files protected by SFC or if the file name starts with one of the following strings:
_AVPM. |
AVWUPSRV. |
GUARDGUI. |
NPROTECT. |
SITECLI. |
A2GUARD. |
AVXMONITOR9X. |
GUARDNT. |
NSCHED32. |
SPBBCSVC. |
AAVSHIELD. |
AVXMONITORNT. |
HREGMON. |
NSMDTR. |
SPHINX. |
AVAST |
AVXQUAR. |
HRRES. |
NSSSERV. |
SPIDERCPL. |
ADVCHK. |
BDMCON. |
HSOCKPE. |
NSSTRAY. |
SPIDERML. |
AHNSD. |
BDNEWS. |
HUPDATE. |
NTRTSCAN. |
SPIDERNT. |
AIRDEFENSE |
BDSUBMIT. |
IAMAPP. |
NTOS. |
SPIDERUI. |
ALERTSVC |
BDSWITCH. |
IAMSERV. |
NTXCONFIG. |
SPYBOTSD. |
ALOGSERV |
BLACKD. |
ICLOAD95. |
NUPGRADE. |
SPYXX. |
ALSVC. |
BLACKICE. |
ICLOADNT. |
NVCOD. |
SS3EDIT. |
AMON. |
CAFIX. |
ICMON. |
NVCTE. |
STOPSIGNAV. |
ANTI-TROJAN. |
CCAPP. |
ICSSUPPNT. |
NVCUT. |
SWAGENT. |
AVZ. |
CCEVTMGR. |
ICSUPP95. |
NWSERVICE. |
SWDOCTOR. |
ANTIVIR |
CCPROXY. |
ICSUPPNT. |
OFCPFWSVC. |
SWNETSUP. |
APVXDWIN. |
CCSETMGR. |
IFACE. |
OUTPOST |
SYMLCSVC. |
ARMOR2NET. |
CFIAUDIT. |
INETUPD. |
OP_MON. |
SYMPROXYSVC. |
ASHAVAST. |
CLAMTRAY. |
INOCIT. |
PAVFIRES. |
SYMSPORT. |
ASHDISP. |
CLAMWIN. |
INORPC. |
PAVFNSVR. |
SYMWSC. |
ASHENHCD. |
CLAW95. |
INORT. |
PAVKRE. |
SYNMGR. |
ASHMAISV. |
CUREIT |
INOTASK. |
PAVPROT. |
TAUMON. |
ASHPOPWZ. |
DEFWATCH. |
INOUPTNG. |
PAVPROXY. |
TBMON. |
ASHSERV. |
DRVIRUS. |
IOMON98. |
PAVPRSRV. |
AVAST |
ASHSIMPL. |
DRWADINS. |
ISAFE. |
PAVSRV51. |
TMLISTEN. |
ASHSKPCK. |
DRWEB32W. |
ISATRAY. |
PAVSS. |
TMNTSRV. |
ASHWEBSV. |
DRWEBSCD. |
ISRV95. |
PCCGUIDE. |
TMPFW. |
ASWUPDSV. |
DRWEBUPW. |
ISSVC. |
PCCIOMON. |
TMPROXY. |
ATCON. |
DWEBLLIO |
KAV. |
PCCNTMON. |
TNBUTIL. |
ATUPDATER. |
DWEBIO |
KAVMM. |
PCCPFW. |
TRJSCAN. |
ATWATCH. |
ESCANH95. |
KAVPF. |
PCCTLCOM. |
UP2DATE. |
AVCIMAN. |
ESCANHNT. |
KAVPFW. |
PCTAV. |
VBA32ECM. |
AVCONSOL. |
EWIDOCTRL. |
KAVSTART. |
PERSFW. |
VBA32IFS. |
AVENGINE. |
EZANTIVIRUSREGISTRATIONCHECK. |
KAVSVC. |
PERTSK. |
VBA32LDR. |
AVESVC. |
F-AGNT95. |
KAVSVCUI. |
PERVAC. |
VBA32PP3. |
AVGAMSVR. |
FAMEH32. |
KMAILMON. |
PNMSRV. |
VBSNTW. |
AVGCC. |
FILEMON |
KPFWSVC. |
POP3TRAP. |
VCRMON. |
AVGCC32. |
FIRESVC. |
MCAGENT. |
POPROXY. |
VPTRAY. |
AVGCTRL. |
FIRETRAY. |
MCMNHDLR. |
PREVSRV. |
VRFWSVC. |
AVGEMC. |
FIREWALL. |
MCREGWIZ. |
PSIMSVC. |
VRMONNT. |
AVGFWSRV. |
FPAVUPDM. |
MCUPDATE. |
QHONLINE. |
VRMONSVC. |
AVGNT. |
FRESHCLAM. |
MCVSSHLD. |
QHONSVC. |
VRRW32. |
AVGNTDD |
EKRN. |
MINILOG. |
QHWSCSVC. |
VSECOMR. |
AVGNTMGR |
FSAV32. |
MYAGTSVC. |
RAVMON. |
VSHWIN32. |
AVGSERV. |
FSAVGUI. |
MYAGTTRY. |
RAVTIMER. |
VSMON. |
AVGUARD. |
FSBWSYS. |
NAVAPSVC. |
AVGNT |
VSSERV. |
AVGUPSVC. |
F-SCHED. |
NAVAPW32. |
AVCENTER. |
VSSTAT. |
AVINITNT. |
FSDFWD. |
NAVLU32. |
RFWMAIN. |
WATCHDOG. |
AVKSERV. |
FSGK32. |
NAVW32. |
RTVSCAN. |
WEBSCANX. |
AVKSERVICE. |
FSGK32ST. |
NEOWATCHLOG. |
RTVSCN95. |
WEBTRAP. |
AVKWCTL. |
FSGUIEXE. |
NEOWATCHTRAY. |
RULAUNCH. |
WGFE95. |
AVP. |
FSMA32. |
NISSERV |
SALITY |
WINAW32. |
AVP32. |
FSMB32. |
NISUM. |
SAVADMINSERVICE. |
WINROUTE. |
AVPCC. |
FSPEX. |
NMAIN. |
SAVMAIN. |
WINSS. |
AVPM. |
FSSM32. |
NOD32 |
SAVPROGRESS. |
WINSSNOTIFY. |
AVAST |
F-STOPW. |
NORMIST. |
SAVSCAN. |
WRCTRL. |
AVSERVER. |
GCASDTSERV. |
NOTSTART. |
SCANNINGPROCESS. |
XCOMMSVR. |
AVSCHED32. |
GCASSERV. |
NPAVTRAY. |
SDRA64. |
ZAUINST |
AVSYNMGR. |
GIANTANTISPYWAREMAIN. |
NPFMNTOR. |
SDHELP. |
ZLCLIENT |
AVWUPD32. |
GIANTANTISPYWAREUPDATER. |
NPFMSG. |
SHSTAT. |
ZONEALARM |
Removable and remote drives
Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:
The virus copies the infected file to the root of all remote and removable drives as one of the following:
- \<random>.pif
- \<random>.exe
- \<random>.cmd
The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.
Payload
Prevents booting Windows in safe mode
Sality.AT recursively deletes all registry values and data under the following registry subkeys, preventing you from starting Windows in safe mode:
- HKLM\System\CurrentControlSet\Control\SafeBoot
- HKCU\System\CurrentControlSet\Control\SafeBoot
Disables security monitoring software
Sality.AT reads the system service descriptor table (SSDT) directly from the NT kernel (ntoskrnl.exe) and passes the original SSDT to a buffer created by the driver component (Trojan:WinNT/Sality). System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior might block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.
Deletes security-related files
This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:
Stops security-related services
Win32/Sality tries to stop and delete the following security-related services:
Agnitum Client Security Service |
cmdGuard |
PAVSRV |
ALG |
cmdAgent |
PcCtlCom |
Amon monitor |
Eset Service |
PersonalFirewal |
aswUpdSv |
Eset HTTP Server |
PREVSRV |
aswMon2 |
Eset Personal Firewall |
ProtoPort Firewall service |
swRdr |
F-Prot Antivirus Update Monitor |
PSIMSVC |
aswSP |
fsbwsys |
RapApp |
aswTdi |
FSDFWD |
SmcService |
aswFsBlk |
F-Secure Gatekeeper Handler Starter |
SNDSrvc |
acssrv |
FSMA |
SPBBCSvc |
AV Engine |
Google Online Services |
SpIDer FS Monitor for Windows NT |
avast! iAVS4 Control Service |
InoRPC |
SpIDer Guard File System Monitor |
avast! Antivirus |
InoRT |
SPIDERNT |
avast! Mail Scanner |
InoTask |
Symantec Core LC |
avast! Web Scanner |
ISSVC |
Symantec Password Validation |
avast! Asynchronous Virus Monitor |
KPF4 |
Symantec AntiVirus Definition Watcher |
avast! Self Protection |
KLIF |
SavRoam |
AVG E-mail Scanner |
LavasoftFirewall |
Symantec AntiVirus |
Avira AntiVir Premium Guard |
LIVESRV |
Tmntsrv |
Avira AntiVir Premium WebGuard |
McAfeeFramework |
TmPfw |
Avira AntiVir Premium MailGuard |
McShield |
tmproxy |
AVP |
McTaskManager |
tcpsr |
avp1 |
navapsvc |
UmxAgent |
BackWeb Plug-in - 4476822 |
NOD32krn |
UmxCfg |
bdss |
NPFMntor |
UmxLU |
BGLiveSvc |
NSCService |
UmxPol |
BlackICE |
Outpost Firewall main module |
vsmon |
CAISafe |
OutpostFirewall |
VSSERV |
ccEvtMgr |
PAVFIRES |
WebrootDesktopFirewallDataService |
ccProxy |
PAVFNSVR |
WebrootFirewall |
ccSetMgr |
PavProt |
XCOMM |
COMODO Firewall Pro Sandbox Driver |
PavPrSrv |
|
Stops security-related processes
Win32/Sality tries to stop security-related processes if their process name starts with any of these strings:
AVPM. |
AVWUPSRV. |
GUARDGUI. |
NPROTECT. |
SITECLI. |
A2GUARD. |
AVXMONITOR9X. |
GUARDNT. |
NSCHED32. |
SPBBCSVC. |
AAVSHIELD. |
AVXMONITORNT. |
HREGMON. |
NSMDTR. |
SPHINX. |
AVAST |
AVXQUAR. |
HRRES. |
NSSSERV. |
SPIDERCPL. |
ADVCHK. |
BDMCON. |
HSOCKPE. |
NSSTRAY. |
SPIDERML. |
AHNSD. |
BDNEWS. |
HUPDATE. |
NTRTSCAN. |
SPIDERNT. |
AIRDEFENSE |
BDSUBMIT. |
IAMAPP. |
NTOS. |
SPIDERUI. |
ALERTSVC |
BDSWITCH. |
IAMSERV. |
NTXCONFIG. |
SPYBOTSD. |
ALOGSERV |
BLACKD. |
ICLOAD95. |
NUPGRADE. |
SPYXX. |
ALSVC. |
BLACKICE. |
ICLOADNT. |
NVCOD. |
SS3EDIT. |
AMON. |
CAFIX. |
ICMON. |
NVCTE. |
STOPSIGNAV. |
ANTI-TROJAN. |
CCAPP. |
ICSSUPPNT. |
NVCUT. |
SWAGENT. |
AVZ. |
CCEVTMGR. |
ICSUPP95. |
NWSERVICE. |
SWDOCTOR. |
ANTIVIR |
CCPROXY. |
ICSUPPNT. |
OFCPFWSVC. |
SWNETSUP. |
APVXDWIN. |
CCSETMGR. |
IFACE. |
OUTPOST |
SYMLCSVC. |
ARMOR2NET. |
CFIAUDIT. |
INETUPD. |
OP_MON. |
SYMPROXYSVC. |
ASHAVAST. |
CLAMTRAY. |
INOCIT. |
PAVFIRES. |
SYMSPORT. |
ASHDISP. |
CLAMWIN. |
INORPC. |
PAVFNSVR. |
SYMWSC. |
ASHENHCD. |
CLAW95. |
INORT. |
PAVKRE. |
SYNMGR. |
ASHMAISV. |
CUREIT |
INOTASK. |
PAVPROT. |
TAUMON. |
ASHPOPWZ. |
DEFWATCH. |
INOUPTNG. |
PAVPROXY. |
TBMON. |
ASHSERV. |
DRVIRUS. |
IOMON98. |
PAVPRSRV. |
AVAST |
ASHSIMPL. |
DRWADINS. |
ISAFE. |
PAVSRV51. |
TMLISTEN. |
ASHSKPCK. |
DRWEB32W. |
ISATRAY. |
PAVSS. |
TMNTSRV. |
ASHWEBSV. |
DRWEBSCD. |
ISRV95. |
PCCGUIDE. |
TMPFW. |
ASWUPDSV. |
DRWEBUPW. |
ISSVC. |
PCCIOMON. |
TMPROXY. |
ATCON. |
DWEBLLIO |
KAV. |
PCCNTMON. |
TNBUTIL. |
ATUPDATER. |
DWEBIO |
KAVMM. |
PCCPFW. |
TRJSCAN. |
ATWATCH. |
ESCANH95. |
KAVPF. |
PCCTLCOM. |
UP2DATE. |
AVCIMAN. |
ESCANHNT. |
KAVPFW. |
PCTAV. |
VBA32ECM. |
AVCONSOL. |
EWIDOCTRL. |
KAVSTART. |
PERSFW. |
VBA32IFS. |
AVENGINE. |
EZANTIVIRUSREGISTRATIONCHECK. |
KAVSVC. |
PERTSK. |
VBA32LDR. |
AVESVC. |
F-AGNT95. |
KAVSVCUI. |
PERVAC. |
VBA32PP3. |
AVGAMSVR. |
FAMEH32. |
KMAILMON. |
PNMSRV. |
VBSNTW. |
AVGCC. |
FILEMON |
KPFWSVC. |
POP3TRAP. |
VCRMON. |
AVGCC32. |
FIRESVC. |
MCAGENT. |
POPROXY. |
VPTRAY. |
AVGCTRL. |
FIRETRAY. |
MCMNHDLR. |
PREVSRV. |
VRFWSVC. |
AVGEMC. |
FIREWALL. |
MCREGWIZ. |
PSIMSVC. |
VRMONNT. |
AVGFWSRV. |
FPAVUPDM. |
MCUPDATE. |
QHONLINE. |
VRMONSVC. |
AVGNT. |
FRESHCLAM. |
MCVSSHLD. |
QHONSVC. |
VRRW32. |
AVGNTDD |
EKRN. |
MINILOG. |
QHWSCSVC. |
VSECOMR. |
AVGNTMGR |
FSAV32. |
MYAGTSVC. |
RAVMON. |
VSHWIN32. |
AVGSERV. |
FSAVGUI. |
MYAGTTRY. |
RAVTIMER. |
VSMON. |
AVGUARD. |
FSBWSYS. |
NAVAPSVC. |
AVGNT |
VSSERV. |
AVGUPSVC. |
F-SCHED. |
NAVAPW32. |
AVCENTER. |
VSSTAT. |
AVINITNT. |
FSDFWD. |
NAVLU32. |
RFWMAIN. |
WATCHDOG. |
AVKSERV. |
FSGK32. |
NAVW32. |
RTVSCAN. |
WEBSCANX. |
AVKSERVICE. |
FSGK32ST. |
NEOWATCHLOG. |
RTVSCN95. |
WEBTRAP. |
AVKWCTL. |
FSGUIEXE. |
NEOWATCHTRAY. |
RULAUNCH. |
WGFE95. |
AVP. |
FSMA32. |
NISSERV |
SALITY |
WINAW32. |
AVP32. |
FSMB32. |
NISUM. |
SAVADMINSERVICE. |
WINROUTE. |
AVPCC. |
FSPEX. |
NMAIN. |
SAVMAIN. |
WINSS. |
AVPM. |
FSSM32. |
NOD32 |
SAVPROGRESS. |
WINSSNOTIFY. |
AVAST |
F-STOPW. |
NORMIST. |
SAVSCAN. |
WRCTRL. |
AVSERVER. |
GCASDTSERV. |
NOTSTART. |
SCANNINGPROCESS. |
XCOMMSVR. |
AVSCHED32. |
GCASSERV. |
NPAVTRAY. |
SDRA64. |
ZAUINST |
AVSYNMGR. |
GIANTANTISPYWAREMAIN. |
NPFMNTOR. |
SDHELP. |
ZLCLIENT |
AVWUPD32. |
GIANTANTISPYWAREUPDATER. |
NPFMSG. |
SHSTAT. |
ZONEALARM |
Additionally, Sality.AT kills processes that have following modules loaded:
Changes Windows settings
Sality.AT changes the registry to disable Windows Registry Editor:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
Sets value: "DisableRegistryTools"
With data: "1"
The virus changes the registry to prevent viewing files with hidden attributes.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Sets value: "Hidden"
With data: "2"
Lowers PC security
Sality.AT changes the registry to bypass the Windows firewall.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<virus file name>:*:enabled:ipsec"
With data: "<virus file name>"
The virus changes other registry data that lower the security of the infected PC. Sality.AT changes the following registry data to change Windows Security Center and Windows Firewall settings.
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "FirewallOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "FirewallDisableNotify"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value "EnableFirewall"
With data: "0"
Downloads files
Sality.AT tries to download files from remote servers to the local drive, then decrypts and runs the downloaded files. We have observed the virus to connect to the following servers:
- www.klkjwre9fqwieluoi.info
- kukutrustnet777888.info
- klkjwre77638dfqwieuoi888.info
- 89.119.67.154
- kukutrustnet777.info
- kukutrustnet888.info
- kukutrustnet987.info
At the time of this writing, retrieved files were identified as the following:
Analysis by Shawn Wang and Hamish O'Dea