Follow:

 

Win32/Sality


Microsoft security software detects and removes this threat.

This malware family can steal your personal information and lower your PC security settings. 

Threats in this family can:
  • Stop your security software from running
  • Steal your sensitive information
  • Download and run other files
  • Delete security-related files from your PC
  • Lower your PC security settings

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Enable registry editor

This threat might prevent Registry Editor from running. To allow the Registry Editor to run, follow these steps:

  1. Click Start then Run and type cmd to run a command prompt.
  2. In the command prompt, type the following and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit.

Restore your PC

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names:

  • <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
  • <system folder>\wmdrtc32.dl_- this is a compressed copy of the virus code

Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.

Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.

We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm.

Spreads via...

File infection

Win32/Sality usually targets all files in drive C: that have .exe or .scr file extensions, beginning with the root folder, and injects its code into them. Infected files increase in size by a varying amount.

The virus also targets programs that run at each Windows start and frequently used applications by checking the following registry keys:

  • HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Win32/Sality avoids infecting the following categories of files so that it remains hidden:

  • Files protected by System File Checker (SFC)
  • Files under the %SystemRoot% folder
  • The executable files of several antivirus and firewall products; in particular it avoids infecting files with names containing any of the following words:
    _AVPM
    A2GUARD
    AAVSHIELD
    ADVCHK
    AHNSD
    AIRDEFENSE
    ALERTSVC
    ALOGSERV
    ALSVC
    AMON
    ANTI-TROJAN
    ANTIVIR
    APVXDWIN
    ARMOR2NET
    ASHAVAST
    ASHDISP
    ASHENHCD
    ASHMAISV
    ASHPOPWZ
    ASHSERV
    ASHSIMPL
    ASHSKPCK
    ASHWEBSV
    ASWUPDSV
    ATCON
    ATUPDATER
    ATWATCH
    AVAST
    AVCENTER
    AVCIMAN
    AVCONSOL
    AVENGINE
    AVESVC
    AVGAMSVR
    AVGCC
    AVGCC32
    AVGCTRL
    AVGEMC
    AVGFWSRV
    AVGNT
    AVGNTDD
    AVGNTMGR
    AVGSERV
    AVGUARD
    AVGUPSVC
    AVINITNT
    AVKSERV
    AVKSERVICE
    AVKWCTL
    AVP
    AVP32
    AVPCC
    AVPM
    AVSCHED32
    AVSERVER
    AVSYNMGR
    AVWUPD32
    AVWUPSRV
    AVXMONITOR9X
    AVXMONITORNT
    AVXQUAR
    AVZ
    BDMCON
    BDNEWS
    BDSUBMIT
    BDSWITCH
    BLACKD
    BLACKICE
    CAFIX
    CCAPP
    CCEVTMGR
    CCPROXY
    CCSETMGR
    CFIAUDIT
    CLAMTRAY
    CLAMWIN
    CLAW95
    CUREIT
    DEFWATCH
    DRVIRUS
    DRWADINS
    DRWEB32W
    DRWEBSCD
    DRWEBUPW
    DWEBIO
    DWEBLLIO
    EKRN
    ESCANH95
    ESCANHNT
    EWIDOCTRL
    EZANTIVIRUSREGISTRATIONCHECK
    F-AGNT95
    FAMEH32
    FILEMON
    FIRESVC
    FIRETRAY
    FIREWALL
    FPAVUPDM
    F-PROT95
    FRESHCLAM
    FSAV32
    FSAVGUI
    FSBWSYS
    F-SCHED
    FSDFWD
    FSGK32
    FSGK32ST
    FSGUIEXE
    FSMA32
    FSMB32
    FSPEX
    FSSM32
    F-STOPW
    GCASDTSERV
    GCASSERV
    GIANTANTISPYWAREMAIN
    GIANTANTISPYWAREUPDATER
    GUARDGUI
    GUARDNT
    HREGMON
    HRRES
    HSOCKPE
    HUPDATE
    IAMAPP
    IAMSERV
    ICLOAD95
    ICLOADNT
    ICMON
    ICSSUPPNT
    ICSUPP95
    ICSUPPNT
    IFACE
    INETUPD
    INOCIT
    INORPC
    INORT
    INOTASK
    INOUPTNG
    IOMON98
    ISAFE
    ISATRAY
    ISRV95
    ISSVC
    KAV
    KAVMM
    KAVPF
    KAVPFW
    KAVSTART
    KAVSVC
    KAVSVCUI
    KMAILMON
    KPFWSVC
    MCAGENT
    MCMNHDLR
    MCREGWIZ
    MCUPDATE
    MCVSSHLD
    MINILOG
    MYAGTSVC
    MYAGTTRY
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVW32
    NEOWATCHLOG
    NEOWATCHTRAY
    NISSERV
    NISUM
    NMAIN
    NOD32
    NORMIST
    NOTSTART
    NPAVTRAY
    NPAVTRAY
    NPFMNTOR
    NPFMSG
    NPROTECT
    NSCHED32
    NSMDTR
    NSSSERV
    NSSTRAY
    NTOS
    NTRTSCAN
    NTXCONFIG
    NUPGRADE
    NVCOD
    NVCTE
    NVCUT
    NWSERVICE
    OFCPFWSVC
    OP_MON
    OUTPOST
    PAVFIRES
    PAVFNSVR
    PAVKRE
    PAVPROT
    PAVPROXY
    PAVPRSRV
    PAVSRV51
    PAVSS
    PCCGUIDE
    PCCIOMON
    PCCNTMON
    PCCPFW
    PCCTLCOM
    PCTAV
    PERSFW
    PERTSK
    PERVAC
    PNMSRV
    POP3TRAP
    POPROXY
    PREVSRV
    PSIMSVC
    QHM32
    QHONLINE
    QHONSVC
    QHPF
    QHWSCSVC
    RAVMON
    RAVTIMER
    RFWMAIN
    RTVSCAN
    RTVSCN95
    RULAUNCH
    SALITY
    SAVADMINSERVICE
    SAVMAIN
    SAVPROGRESS
    SAVSCAN
    SCANNINGPROCESS
    SDHELP
    SHSTAT
    SITECLI
    SPBBCSVC
    SPHINX
    SPIDERCPL
    SPIDERML
    SPIDERNT
    SPIDERUI
    SPYBOTSD
    SPYXX
    SS3EDIT
    STOPSIGNAV
    SWAGENT
    SWDOCTOR
    SWNETSUP
    SYMLCSVC
    SYMPROXYSVC
    SYMSPORT
    SYMWSC
    SYNMGR
    TAUMON
    TBMON
    TFAK
    THAV
    THSM
    TMAS
    TMLISTEN
    TMNTSRV
    TMPFW
    TMPROXY
    TNBUTIL
    TRJSCAN
    UP2DATE
    VBA32ECM
    VBA32IFS
    VBA32LDR
    VBA32PP3
    VBSNTW
    VCHK
    VCRMON
    VETTRAY
    VIRUSKEEPER
    VPTRAY
    VRFWSVC
    VRMONNT
    VRMONSVC
    VRRW32
    VSECOMR
    VSHWIN32
    VSMON
    VSSERV
    VSSTAT
    WATCHDOG
    WEBPROXY
    WEBSCANX
    WEBTRAP
    WGFE95
    WINAW32
    WINROUTE
    WINSS
    WINSSNOTIFY
    WRCTRL
    XCOMMSVR
    ZAUINST
    ZLCLIENT
    ZONEALARM

Removable drives and network shares

Some Sality variants can infect legitimate files which are then moved to available removable drives and shared network folders.

One of the following legitimate files, if it exists, is copied into the %TEMP% folder, then infected:

The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:

  • \<random file name>.pif
  • \<random file name>.exe
  • \<random file name>.cmd

The Sality variant also creates an autorun.inf file in the root of all these drives that points to the infected file. When a drive is accessed from a PC supporting the Autorun feature, the file is launched automatically.

This is particularly common malware behavior, generally used in order to spread malware from PC to PC.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Payload

Deletes security-related files

Sality variants usually try to delete files related to antivirus updates, like those with the following file extensions:

  • .avc
  • .key
  • .trj
  • .vdb

Some variants, like Virus:Win32/Sality.G, try to delete files that have the following strings in their file names:

  • AHEAD
  • ALER
  • ANDA
  • ANTI 0
  • CLEAN
  • GUAR
  • OUTP
  • SCAN
  • TOTAL
  • TREN
  • TROJ
  • ZONE

Ends or closes security-related processes

Win32/Sality commonly searches for and tries to end or close security applications, particularly antivirus and personal firewall programs. It tries to end or close security applications containing the same strings as the files it avoids infecting in the Spreads via... File infection section.

It also searches for and tries to close processes that contain or load modules that have the following substrings:

  • DWEBILLIO
  • DWEBIO

It may also close the following security-related services:

acssrv
Agnitum Client Security Service
ALG
Amon monitor
aswFsBlk
aswMon2
aswRdr
aswSP
aswTdi
aswUpdSv
AV Engine
avast! Antivirus
avast! Asynchronous Virus Monitor
avast! iAVS4 Control Service
avast! Mail Scanner
avast! Self Protection
avast! Web Scanner
AVG E-mail Scanner
Avira AntiVir Premium Guard
Avira AntiVir Premium MailGuard
Avira AntiVir Premium WebGuard
AVP
avp1
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
cmdAgent
cmdGuard
COMODO Firewall Pro Sandbox Driver
Eset HTTP Server
Eset Personal Firewall
Eset Service
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
FSMA
Google Online Services
InoRPC
InoRT
InoTask
ISSVC
KLIF
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SavRoam
SmcService
SNDSrvc
SPBBCSvc
SpIDer FS Monitor for Windows NT
SpIDer Guard File System Monitor
SPIDERNT
Symantec AntiVirus
Symantec AntiVirus Definition Watcher
Symantec Core LC
Symantec Password Validation
tcpsr
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM

Blocks access to security-related domains

Some Win32/Sality variants block access to any URL containing any of these words or phrases:

agnmitum
bitdefender
cureit
drweb
eset.com
etrust.com
ewido
f-secure
kaspersky
mcafee
onlinescan.
pandasoftware
sality-remov
sophos
spywareguide
spywareinfo
symantec
trendmicro
upload_virus
virusinfo
virusscan
virustotal
windowsecurity

Steals sensitive information

Some Win32/Sality variants can steal passwords you've stored on your PC and can log keystrokes you enter. For example, in the wild we have observed Virus:Win32/Sality.AT downloading and running TrojanSpy:Win32/Keatep.B, which steals FTP server credentials.

We've also observed Virus:Win32/Sality.G dropping a component - Virus:Win32/Sality.G.dll - that logs keystrokes and steals passwords and information about your PC, like the domain it is connected to and the PC's name, and sends it to a remote server, like:

  • kukunet11581q.com
  • rus0396kuku.com

Downloads and runs other files

Win32/Sality variants usually try to download and run other files. They may first try to connect to www.microsoft.com to check for Internet connectivity. These files may include other malware, like TrojanSpy:Win32/Keatep.B.

The files are downloaded into the %TEMP% folder and decrypted using one of several hardcoded passwords, which include:

  • GdiPlus.dll
  • kukutrusted!.

The following is a list of domains to which Win32/Sality might connect to and download files from:

  • bpfq02.com
  • f5ds1jkkk4d.info
  • g1ikdcvns3sdsal.info
  • h7smcnrwlsdn34fgv.info
  • hkukud123ncs.info
  • inform1ongung.info
  • klkjwre77638dfqwieuoi888.info
  • kukutrustnet.info
  • kukutrustnet.org
  • kukutrustnet777888 .info/
  • lukki6nd2kdnc.info

Injects code into running processes

Most of the payload of Win32/Sality is run in the context of other processes. This makes cleaning harder and lets the malware to bypass some firewalls. To avoid multiple injections in the same process, a system-wide mutex called <process name>.exeM_<process ID>_ is created for every process in which code is injected.

Prevents Windows from booting up in Safe Mode

Win32/Sality variants recursively delete all registry values and data under the following registry subkeys, preventing you from starting Windows in Safe Mode:

  • HKCU\System\CurrentControlSet\Control\SafeBoot
  • HKLM\System\CurrentControlSet\Control\SafeBoot

Drops other components

Some variants of Win32/Sality drop a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality. Its purpose is to:

  • Close or end security-related processes - Trojan:WinNT/Sality ends processes to bypass the self-protection of some antivirus programs
  • Block access to security-related websites - Trojan:WinNT/Sality denies access to a list of hardcoded URLs. This technique works only on Windows XP, Windows 2003, and Windows 2000
  • Disable SSDT hooks - Trojan:WinNT/Sality removes SSDT hooks to prevent certain security products from working properly; SSDT hooks are often used by security programs to function properly

Changes %SystemRoot%\system.ini

Win32/Sality adds the following section to the configuration file %SystemRoot%\system.ini:

[MCIDRV_VER]
DEVICEMB=<random string>

The section acts as an infection marker.

Connects to a peer-to-peer (P2P) network

PCs infected with some versions of Win32/Sality, like Virus:Win32/Sality.AT, and Virus:Win32/Sality.AU, connect to other infected PCs by joining a peer-to-peer (P2P) network. From other PCs in the P2P network, they receive URLs pointing to additional malware components.

The P2P network uses UDP connections from your PC to the network. All the messages exchanged on the P2P network are encrypted. The local UDP port number used to connect to the network is generated as a function of the PC name. At the time of analysis, we were unable to confirm that nature of the messages.

Lowers PC security

Win32/Sality variants may try to lower Windows security.

Some variants may run the following netsh command to disable the Windows Firewall:

netsh firewall set opmode disable

Variants may also make the following changes to the registry to change or lower security settings:

  • Disable User Account Control (UAC):

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "EnableLUA"
    With data: "0"
  • change Windows Firewall to let Internet communication:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "<Win32/Sality file name>"
    With data: "<Win32/Sality file name>:*:enabled:ipsec"
  • Disable Windows Firewall:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    Sets value: "EnableFirewall"
    With data: "0"
  • Redirect netsh event tracing session logging:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
    Sets value: "LogSessionName"
    With data: "stdout"
  • Turnsoff monitoring the installed antivirus software from within the Microsoft Security Center:

    In subkeys:
    HKLM\SOFTWARE\Microsoft\Security Center
    HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets value: "AntiVirusOverride"
    With data: "1"
  • Turn off security alerts in Windows Security Center:

    In subkeys:
    HKLM\SOFTWARE\Microsoft\Security Center
    HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets values:
    FirewallDisableNotify
    UacDisableNotify
    UpdatesDisableNotify"
    With data: "1
    "
  • Disable Windows Task Manager:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "DisableTaskMgr"
    With data: "1"
  • Turn "Offline Mode" off in Microsoft Internet Explorer:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Sets value: "GlobalUserOffline"
    With data: "0"
  • Let hidden files remain hidden:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Sets value: "Hidden"
    With data: "2"
  • Prevent access to registry editing tools like regedit:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "DisableRegistryTools"
    With data: "1"
Further reading
Related encyclopedia entries

Trojan:WinNT/Sality
TrojanSpy:Win32/Keatep.B
Virus:Win32/Sality.AM
Virus:Win32/Sality.G
Virus:Win32/Sality.G.dll
Virus:Win32/Sality.AT
Virus:Win32/Sality.AU
Win32/Bagle
Worm:Win32/Bagle.IF@mm
Worm:Win32/Sality.AU

Analysis by Hamish O'Dea, Edgardo Diaz Jr, and Horea Coroiu


Symptoms

The following could indicate that you have this threat on your PC:

  • The presence of the following files:
    • <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
    • <system folder>\wmdrtc32.dl_- this is a compressed copy of the virus code
  • Infected files might unexpectedly increase in size
  • Antivirus and firewall applications might fail to function
  • Windows Task Manager and Windows Registry Editor might be disabled
  • There is encrypted UDP traffic originating from unexpected applications

Prevention


Alert level: Severe
This entry was first published on: Aug 07, 2010
This entry was updated on: Sep 16, 2014

This threat is also detected as:
No known aliases