Threat behavior
Virus:Win32/Sality.AN is a file infector that targets files with extensions .SCR or .EXE. This virus may execute a damaging payload that deletes files with certain extensions.
Installation
Upon execution, Virus:Win32/Sality.AN drops its malicious code as the following files:
- <system folder>\wmimgr32.dl_
- <system folder>\wmimgr32.dll
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then creates the mutex "kuku_joker_v3.04" to prevent more than one instance of itself running in memory at one time.
Spreads Via...
Infecting Files
Virus:Win32/Sality.AN targets all files in drive C:, beginning with the root folder, that have file extensions of either .EXE or .SCR. It infects found files by adding a new code section to the host and inserting its malicious code into this newly added section.
Payload
Deletes Security-Related Files
This virus deletes security data files including detection patterns or signatures that have the following file extensions:
.avc
.key
.tjc
.vdb
In addition, this virus may delete files with names that begin with any of the following strings:
ALER
ANDA
ANTI
AVP
CLEAN
GUAR
KAV
NOD
OUTP
SCAN
TOTAL
TREN
TROJ
ZONE
Downloads Files
This virus may connect to remote websites to download and execute additional and possibly malicious programs. It checks for Internet access by attempting a connection with the domain www.microsoft.com. If a successful connection is made, Win32/Sality.T may connect to pages within the following websites in an attempt to download files:
- rus0396kuku.com
- kukunet11581q.com
Downloaded files are saved and run in the %TEMP% folder.
Steals Sensitive Data
Virus:Win32/Sality.AN can steal cached passwords as well as log keystrokes typed by the user.
Analysis by Francis Allan Tan Seng
Prevention