Follow:

 

Virus:Win32/Sality.G


Virus:Win32/Sality.G is the detection for files that have been infected by Virus:Win32/Sality.G.dll.
 
Virus:Win32/Sality.G and Virus:Win32/Sality.G.dll are variants if the Virus:Win32/Sality, a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. They may also download and execute arbitrary files from a remote server.
For more information, please see the detailed Virus:Win32/Sality family descriptionelsewhere in the encyclopedia.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Virus:Win32/Sality.G is the detection for files that have been infected by Virus:Win32/Sality.G.dll.
 
Virus:Win32/Sality.G and Virus:Win32/Sality.G.dll are variants if the Virus:Win32/Sality, a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. They may also download and execute arbitrary files from a remote server.
For more information, please see the detailed Virus:Win32/Sality family descriptionelsewhere in the encyclopedia.
Installation
Virus:Win32/Sality.G.dll may be dropped and loaded as %systemroot%\system32\wmimgr32.dll by Virus:Win32/Sality.G. Virus:Win32/Sality.G.dll is loaded into other processes by installing a message hook (a function that enables Virus:Win32/Sality.G to load itself into other processes).
 
Virus:Win32/Sality.G.dll creates a mutex named "kuku_joker_v3.04" to prevent more than one instance of itself from running in the memory at the same time.
Spreads via…
File infection / network shares
When executed, Virus:Win32/Sality.G drops the compressed payload and file infecting component (Virus:Win32/Sality.G.dll) as %systemroot%\system32\wmimgr32.dl_ and decompresses it as %systemroot%\system32\wmimgr32.dll.
 
Virus:Win32/Sality.G loads the decompressed payload component immediately, then jumps back to the original code entry point of the infected file.
 
Virus:Win32/Sality.G.dll tries to infect PE files with extension ".EXE" and ".SCR" from local drives and network shares. Files protected by SFC (System File Check) or those whose file name contains following strings will not be infected:
 
"KAV"
"NOD"
"ANTI"
"SCAN"
"ZONE"
"ANDA"
"TROJ"
"TREN"
"ALER"
"CLEAN"
"OUTP"
"GUAR"
"AVP"
"TOTAL"
Payload
Deletes files
Virus:Win32/Sality.G.dll tries to delete files with following extensions.
".tjc"
".avc"
".key"
".vdb"
 
Downloads and executes arbitrary files
Virus:Win32/Sality.G.dll tries to download and execute files from a remote server. Files are downloaded to the %TEMP% directory then executed.
 
Note - %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000, XP and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for Vista and Windows 7 is C:\Users\<user name>\AppData\Local\Temp.
 
In the wild, we have observed Virus:Win32/Sality.G.dll attempting to download files from these domains:
 
rus0396kuku.com
kukunet11581q.com
Additional information
For more information, please see the description for Virus:Win32/Sality.G.dll elsewhere in our encyclopedia.
 
Analysis by Shawn Wang

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %systemroot%\system32\wmimgr32.dl_
  • %systemroot%\system32\wmimgr32.dll
  • Files with the following file extensions may be deleted:
    ".tjc"
  • ".avc"
    ".key"
    ".vdb"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.71.240.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 14, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Sality.F (AhnLab)
  • W32/Sality.k (Command)
  • Trojan.Win32.Scar.bxqc (Kaspersky)
  • W32/Sality.n (Norman)
  • Win32.Sality.L (VirusBuster)
  • Virus found Win32/Sality (AVG)
  • W32/Sality.l (Avira)
  • Win32/Sality.J (CA)
  • Trojan.MulDrop.55658 (Dr.Web)
  • Win32/Sality.NAE (ESET)
  • Virus.Win32.Flot (Ikarus)
  • Trojan.Win32.Scar.bxqc (Kaspersky)
  • Infected: Virus:Win32/Sality.gen!enc (Microsoft)
  • W32/Sality.O (Panda)
  • Win32.Sality (Rising AV)
  • W32/Sality-AI (Sophos)
  • Win32.Sality.AE (Sunbelt Software)
  • W32.HLLP.Sality.O (Symantec)
  • PE_SALITY.AE (Trend Micro)