Virus:Win32/Sality.R

Virus:Win32/Sality.R is a file infector that targets files with extensions .SCR or .EXE. This virus may execute a damaging payload that deletes files beginning with specific strings, or files that have certain file extensions.

Upon execution, Virus:Win32/Sality.R drops its malicious code as the following files:

 

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.

It then creates the following mutex names to prevent more than one instance of itself running in memory at one time:

 

 

Virus:Win32/Sality.R targets all files in drive C:, beginning with the root folder, that have file extensions of either .EXE or .SCR. It infects found files by adding a new code section to the host and inserting its malicious code into this newly added section.

Deletes Security-Related Files
This virus deletes security data files including detection patterns or signatures that have the following file extensions:
.avc
.key
.tjc
.vdb
 
In addition, this virus may delete files with names that begin with any of the following strings:
ALER
ANDA
ANTI
AVP
CLEAN
GUAR
KAV
NOD
OUTP
SCAN
TOTAL
TREN
TROJ
ZONE

Terminates Security-Related Processes
This virus terminates processes that begin with any of the following strings, which are usually associated with security applications:

ANTI                       
ATGUARD                    
AUTOTRACE                  
AVGS                       
AVLTMAIN                   
AVP                        
AVPROTECT                  
AVSYNMGR                   
AVXQUAR                    
BIDEF                      
BIDS                       
BIPCP                      
BLACKICE                   
CAN                        
CLEANER                    
DRWATSON                   
DRWEB                      
DRWTSN32                   
ERV                        
ERVER                      
ESCANH                     
ICSSUPPNT                  
ICSUPP                     
KAV                        
LOCKDOWN                   
MCAGENT                    
MCUPDATE                   
MGUI                       
NAV                        
NMAIN                      
NOD32                      
NPFMESSENGER               
NPROTECT                   
NUPGRADE                   
OUTPOST                    
PERISCOPE                  
PINGSCAN                   
PORTDETECTIVE              
PROTECTX                   
RTVSCAN                    
SAVS                       
TRJSCAN                    
VSMAIN                     
ZONEALARM

This virus may connect to remote websites to download and execute additional and possibly malicious programs. It checks for Internet access by attempting a connection with the domain www.microsoft.com. If a successful connection is made, Win32/Sality.R may connect to pages within these sites:

 

Downloaded files are saved and run in the %TEMP% folder.

Modifies SYSTEM.INI
Virus:Win32/Sality.R adds data in the configuration file "system.ini" stored in the Windows folder by adding a section named 'MCIDRV_VER', for example:

 

[MCIDRV_VER]
DEVICE=48920sivux27761

Steals Sensitive Information
Virus:Win32/Sality.R can steal cached passwords as well as log keystrokes entered on the infected system.

Since Virus:Win32/Sality.R infects files, it is possible that other malicious programs become infected, and thus may exhibit additional symptoms.