Virus:Win32/Sality is a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They can run a damaging payload that deletes files with certain extensions and stops security-related processes and services.
Installation
Win32/Sality's main method of installation is by infecting files on the local system. Most variants employ a DLL that is dropped once on each infected machine. The DLL is written to disk in two forms, for example:
The file with the extension '.dl_' is a compressed copy of the DLL. The DLL contains the bulk of the virus's code.
Recent variants of Sality, such as Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk.
Spreads Via...
File infection
Virus:Win32/Sality usually targets all files in drive C: that have .EXE or .SCR file extensions, beginning with the root folder. Infected files increase in size by a varying amount.
Payload
Deletes security-related files
Sality variants usually attempt to delete files related to anti-virus updates, such as those with the following file extensions:
Stops security-related processes
Win32/Sality commonly searches for and tries to stop security applications, particularly anti-virus and personal firewall programs. It also deletes particular security-related services.
Steals sensitive information
Some Virus:Win32/Sality variants can steal cached passwords and log keystrokes entered on the infected system.
Downloads and runs files
Win32/Sality variants usually attempt to download and run other files. They may first try to connect to www.microsoft.com in order to check for Internet connectivity.
Lowers computer security
Win32/Sality variants may modify the computer registry to lower security in Microsoft Windows. The following changes have been observed in several common variants of Win32/Sality:
-
Disables User Account Control (UAC)
Modifies value: EnableLUA
With data: "0"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
-
Modifies Windows Firewall to allow Internet communication by Win32/Sality
Adds value: <Win32/Sality file name>
With data: "<Win32/Sality file name>:*:enabled:ipsec"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
-
Disables Windows Firewall
Modifies value: EnableFirewall
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
-
Redirects NETSH event tracing session logging
Modifies value: LogSessionName
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
-
Turns off monitoring installed Antivirus software within Microsoft Security Center
Modifies value: AntiVirusOverride
With data: "1"
In subkeys:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Security Center\Svc
-
Disable Windows Task Manager
Modifies value: DisableTaskMgr
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
-
Turns "Offline Mode" off in Microsoft Internet Explorer
Modifies value: GlobalUserOffline
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
-
Allows hidden files to remain hidden
Modifies value: Hidden
With data: "2"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced