Virus:Win32/Sality.AT

(?)

Encyclopedia entry
Updated: Sep 08, 2010 | Published: Apr 26, 2010

Aliases

W32/Sality.B.gen!Eldorado

Command

W32/Sality.AT (Avira)
Win32/Sality.AA (CA)
Win32.Sector.21 (Dr.Web)
Win32/Sality.NBA (ESET)
Trojan.Win32.Vilsel.vyy (Kaspersky)
W32/Sality.gen.e (McAfee)
W32/Sality.BD (Norman)
W32/Spamta.QO.worm (Panda)
Win32.KUKU.kj (Rising AV)
Troj/SalLoad-A (Sophos)
PE_SALITY.BA (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.89.42.0
Released: Aug 20, 2010

Detection initially created:
Definition: 1.79.247.0
Released: Mar 20, 2010

Summary

Virus:Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

Sudden termination of certain security-related applications, processes or services
Inability to run Windows Registry Editor
The presence of the following driver:
%SystemRoot%\system32\drivers\amsint32.sys
Failure for certain security-related applications to run due to deletion of installed components such as files with the following extensions:

.AVC
.VDB

Top

Technical Information (Analysis)

Installation

When run, Virus:Win32/Sality.AT drops a device driver as the following:

%SystemRoot%\system32\drivers\amsint32.sys - Trojan:WinNT/Sality

The virus creates and starts a system service named "amsint32" to run the dropped driver component. Virus:Win32/Sality.AT communicates with the driver component to restore SSDT.

Spreads via…

File infection

Virus:Win32/Sality.AT injects code into all running processes to load and run the virus and infect Windows executable files with extension ".EXE" or ".SCR". The virus seeks other target files by reading file names found in the following registry subkeys:

HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Virus:Win32/Sality.AT will not infect files protected by SFC or if the file name starts with one of the following strings:

_AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
AVZ.
ANTIVIR
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVESVC.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
AVGUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVAST
AVSERVER.
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BDMCON.
BDNEWS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CUREIT
DEFWATCH.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
DWEBLLIO
DWEBIO
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
FRESHCLAM.
EKRN.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTOS.
NTXCONFIG.
NUPGRADE.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST
OP_MON.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHONLINE.
QHONSVC.
QHWSCSVC.
RAVMON.
RAVTIMER.
AVGNT
AVCENTER.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SALITY
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCANNINGPROCESS.
SDRA64.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERCPL.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
AVAST
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCRMON.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRCTRL.
XCOMMSVR.
ZAUINST
ZLCLIENT
ZONEALARM

Removable and remote drives

Virus:Win32/Sality.AT attempts to copy one of following files to the Windows temporary files folder (e.g. %TEMP%) and infects the copied file:

%SystemRoot%\system32\NOTEPAD.EXE

%SystemRoot%\system32\WINMINE.EXE

The virus copies the infected file to the root of all remote and removable drives as one of the following:

\<random>.pif

\<random>.exe

\<random>.cmd

The virus then writes an Autorun configuration file named "autorun.inf" pointing to the virus copy. When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.

Payload

Prevents booting Windows in safe mode

Win32/Sality.AT recursviely deletes all registry values and data under the following registry subkeys preventing the user from starting Windows in safe mode:

HKLM\System\CurrentControlSet\Control\SafeBoot
HKCU\System\CurrentControlSet\Control\SafeBoot

Disables security monitoring software

Win32/Sality.AT reads the system service descriptor table (SSDT) directly from the NT kernel ("ntoskrnl.exe") and passes the original SSDT to a buffer created by the driver component (Trojan:WinNT/Sality). System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior may block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.

Deletes security-related files

This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:

.AVC
.VDB

Terminates security-related services
Win32/Sality attempts to stop and delete the following security-related services:

Agnitum Client Security Service
ALG
Amon monitor
aswUpdSv
aswMon2
aswRdr
aswSP
aswTdi
aswFsBlk
acssrv
AV Engine
avast! iAVS4 Control Service
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
avast! Asynchronous Virus Monitor
avast! Self Protection
AVG E-mail Scanner
Avira AntiVir Premium Guard
Avira AntiVir Premium WebGuard
Avira AntiVir Premium MailGuard
AVP
avp1
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
COMODO Firewall Pro Sandbox Driver
cmdGuard
cmdAgent
Eset Service
Eset HTTP Server
Eset Personal Firewall
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
FSMA
Google Online Services
InoRPC
InoRT
InoTask
ISSVC
KPF4
KLIF
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SmcService
SNDSrvc
SPBBCSvc
SpIDer FS Monitor for Windows NT
SpIDer Guard File System Monitor
SPIDERNT
Symantec Core LC
Symantec Password Validation
Symantec AntiVirus Definition Watcher
SavRoam
Symantec AntiVirus
Tmntsrv
TmPfw
tmproxy
tcpsr
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM

Terminates security-related processes

Win32/Sality attempts to terminate the following security-related processes:

Additionally, Virus:Win32/Sality.AT kills processes which have following modules loaded:

DWEBLLIO
DWEBIO

Modifies Windows settings

Virus:Win32/Sality.AT modifies the registry to disable Windows Registry Editor:

Sets value: "DisableRegistryTools"
With data: "1"

Under subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system

The virus modifies the registry to prevent viewing files with hidden attributes.

Sets value: "Hidden"
With data: "2"
Under subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer

Lowers computer security

Virus:Win32/Sality.AT modifies the registry to bypass the Windows firewall.

Sets value: "<virus file name>:*:enabled:ipsec"
With data: "<virus file name>"
Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

The virus modifies other registry data that lower the security of the infected computer. Virus:Win32/Sality.AT modifies the following registry data to change Windows Security Center and Windows Firewall settings.

Sets value: "AntiVirusOverride"
with data: "1"
Under subkey: HKLM\SOFTWARE\Microsoft\Security Center

Sets value: "AntiVirusOverride"
with data: "1"
Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc

Sets value: "AntiVirusDisableNotify"
with data: "1"
Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc

Sets value: "FirewallOverride"
with data: "1"
Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc

Sets value: "FirewallDisableNotify"
with data: "1"
Under subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc

Sets value "EnableFirewall"
with data: "0"
Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Downloads arbitrary files

Virus:Win32/Sality.AT attempts to download files from remote servers to the local drive, then decrypts and executes the downloaded files. We have observed the virus to connect to the following servers:

www.klkjwre9fqwieluoi.info
kukutrustnet777888.info
klkjwre77638dfqwieuoi888.info
89.119.67.154
kukutrustnet777.info
kukutrustnet888.info
kukutrustnet987.info

At the time of this writing, retrieved files were identified as the following:

Analysis by Shawn Wang and Hamish O'Dea

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Due to the file removal payload of this virus, recovery of the affected files requires re-installation of the affected software applications.

Disable Autorun functionality

Win32/Sality.AT attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:

http://support.microsoft.com/kb/967715/

Recovering from recurring infections on a network

The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:

Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares (see above for further detail).
Ensure that all available network shares are scanned with an up-to-date antivirus product.
Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
Remove any unnecessary network shares or mapped drives.

Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Enabling registry editor

This threat may modify the computer to prevent Registry Editor from running. To enable Registry Editor in your computer, please do the following:

Run a command prompt. Click Start>Run and type cmd.
In the command prompt, type the following as is and press Enter:
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Type exit at the command prompt.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.