Follow:

 

Virus:Win32/Sality.AU


Virus:Win32/Sality.AU is a virus that infects executable files. It is known to be dropped in the computer by Worm:Win32/Sality.AU. It also spreads itself to removable and remote drives.
 
Virus:Win32/Sality.AU has an extensive list of payloads, including disabling certain system processes, lowering the computer's security, terminating security-related processes and services, and disabling monitoring software and System Restore.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Removing a program exception
This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:
 
For Windows 7:
1) Click Start, select Control Panel, then System and Security.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select ipsec from the list of allowed programs and features. Click Remove.
6) Click OK.
 
For Windows Vista:
1) Click Start, select Control Panel, then Security Center.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select ipsec from the list of allowed programs and features. Click Delete.
5) Click OK.
 
For Windows XP:
1) Use an administrator account to log on.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click ipsec and then click Delete.
5) Click OK.
Enabling registry editor
This threat may modify the computer to prevent Registry Editor from running. To enable Registry Editor in your computer, please do the following:
 
  1. Run a command prompt. Click Start>Run and type cmd.
  2. In the command prompt, type the following as is and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit at the command prompt.
Additional remediation instructions for Virus:Win32/Sality.AU
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s: 

Threat behavior

Virus:Win32/Sality.AU is a virus that infects executable files. It is known to be dropped in the computer by Worm:Win32/Sality.AU. It also spreads itself to removable and remote drives.
 
Virus:Win32/Sality.AU disables certain system processes. It also lowers the computer's security by changing firewall settings, terminates security-related processes and services, and disables monitoring software and System Restore.
Installation
Virus:Win32/Sality.AU creates the following mutex
 
  • op1mutx9
 
It also creates the following registry entry as part of its installation routine:
 
Adds value: "session"
With data: "<numeric value>"
To subkey : HKCU\SOFTWARE\bntrp
 
It checks the default "system.ini" file if it has the section "[fje32a1s]" with the key "minr". If it doesn't, Virus:Win32/Sality.AU writes this as part of its installation routine.
 
Virus:Win32/Sality.AU creates and executes the following file:
 
%Temp%\<random file name>.exe - also detected as Virus:Win32/Sality.AU
 
for example:
 
%Temp%\2ff07.exe
Spreads via...
File infection
Virus:Win32/Sality.AU injects code into all running processes to load and run itself. It infects Windows executable files with the following extensions:
 
  • .EXE
  • .SCR
 
The virus seeks other target files by reading file names found in the following registry subkeys:
 
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Virus:Win32/Sality.AU does not infect files protected by the Windows System File Checker (SFC) or if the file name starts with one of the following strings:
 
A2CMD.  
A2FREE  
A2GUARD
A2SERVICE.  
ADVCHK.
AGB.
AHPROCMONSERVER.
AIRDEFENSE  
AKRNL.  
ALERTSVC
AMON.
ANTIVIR
APVXDWIN.
ARMOR2NET.  
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWSCAN
ASWUPDSV.
AVAST
AVCENTER
AVCIMAN.
AVCONSOL.
AVENGINE.
AVESVC.
AVEVAL.
AVEVL32.
AVGAM
AVGCC.
AVGCC32.
AVGCHSVX.
AVGCSRVX.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNSX.
AVGNT.  
AVGNTMGR
AVGSERV.
AVGTRAY.
AVGUARD.
AVGUPSVC.
AVGWDSVC.
AVINITNT.
AVIRA
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.  
AVPCC.  
AVPM.
AVSCHED32.  
AVSERVER.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR  
AVXQUAR.
AVZ.
BDSWITCH.
BITDEFENDER
BLACKD.
BLACKICE.
CAFIX.  
CCEVTMGR.
CCSETMGR.
CFIAUDIT.
CFP.
CFPCONFIG.  
CLAMTRAY.
CLAMWIN.
CUREIT  
DEFENDERDAEMON  
DEFWATCH.
DRVIRUS.
DRWADINS.
DRWEB
DWEBIO  
DWEBLLIO
EKRN.
ESCANH95.
ESCANHNT.
EWIDOCTRL.  
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
F-SCHED.
F-STOPW.
FAMEH32.
FILEMON
FIREWALL
FORTICLIENT
FORTISCAN
FORTITRAY.  
FPAVSERVER.
FPROTTRAY.  
FPWIN.  
FRESHCLAM.  
FSAV32.
FSAVGUI.
FSBWSYS.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSMA32.
FSMB32.
FSPEX.  
FSSM32.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWARE
GUARDGUI.
GUARDNT.
GUARDXKICKOFF.  
GUARDXSERVICE.  
HREGMON.
HRRES.  
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.  
ICSSUPPNT.  
ICSUPP95.
ICSUPPNT.
INETUPD.
INOCIT.
INORPC.
INORT.  
INOTASK.
INOUPTNG.
IOMON98.
IPTRAY.
ISAFE.  
ISATRAY.
KAV.
KAVMM.  
KAVPF.  
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
MAMUTU  
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.  
NMAIN.  
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTOS.
NTRTSCAN.
NTXCONFIG.  
NUPGRADE.
NVCOD.  
NVCTE.  
NVCUT.  
NWSERVICE.  
OFCPFWSVC.  
ONLINENT.
OP_MON.
OPSSVC.
OUTPOST
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.  
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.  
PERSFW.
PERTSK.
PERVAC.
PESTPATROL  
PNMSRV.
PREVSRV.
PREVX
PSIMSVC.
QHONLINE.
QHONSVC.
QHSET.  
QHWSCSVC.
QUHLPSVC.
RFWMAIN.
RTVSCAN.
RTVSCN95.
SALITY  
SAPISSVC.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCANNINGPROCESS.
SCANWSCS.
SDHELP.
SDRA64.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERCPL.  
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.  
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.  
TMLISTEN.
TMNTSRV.
TMPROXY.
TNBUTIL.
TRJSCAN.
TROJAN.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCRMON.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.  
VSSERV.
VSSTAT.
WATCHDOG.
WEBSCANX.
WINSSNOTIFY.
WRCTRL.
XCOMMSVR.
ZLCLIENT
ZONEALARM
 
Removable and remote drives
Virus:Win32/Sality.AU copies the infected file to the root of all remote and removable drives as one of the following:
 
  • <drive>\<random file name>.pif
  • <drive>\<random file name>.exe
 
It then writes an Autorun configuration file named "autorun.inf" pointing to the virus copy. When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.
Payload
Connects to a remote server
Virus:Win32/Sality.AU connects to a remote server by connecting to the following website:
 
  • cdeinaa.com/sm.php?pizda1=angel
 
Drops other malware
Virus:Win32/Sality.AU drops a device driver as the following file:
 
%SystemRoot%\system32\drivers\amsint32.sys - detected as Trojan:WinNT/Sality
 
Prevents booting Windows in safe mode
Win32/Sality.AU recursively deletes all registry values and data under the following registry subkeys, preventing the user from starting Windows in safe mode:
 
  • HKLM\System\CurrentControlSet\Control\SafeBoot
  • HKCU\System\CurrentControlSet\Control\SafeBoot
 
Disables security monitoring software
Win32/Sality.AU reads the system service descriptor table (SSDT) directly from the NT kernel ("ntoskrnl.exe") and passes the original SSDT to a buffer created by its dropped driver component (Trojan:WinNT/Sality).
 
System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior may block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.
 
Deletes security-related files
This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:
 
  • .AVC
  • .VDB
 
Terminates security-related services
Win32/Sality.AU attempts to stop and delete the following security-related services:
 
Acssrv
Alg
Amon Monitor
Aswfsblk
Aswmon2
Aswrdr
Aswsp
Aswtdi
Aswupdsv
Av Engine
Avast! Antivirus
Avast! Asynchronous Virus Monitor
Avast! Iavs4 Control Service
Avast! Mail Scanner
Avast! Self Protection
Avast! Web Scanner
Avg E-Mail Scanner
Avira Antivir Premium Guard
Avira Antivir Premium Mailguard
Avira Antivir Premium Webguard
Avp Agnitum Client Security Service
Bglivesvc
Blackice
Caisafe
Ccevtmgr
Ccproxy
Ccsetmgr
Cmdagent
Cmdguard
Comodo Firewall Pro Sandbox Driver
Eset Http Server
Eset Personal Firewall
Eset Service
F-Prot Antivirus Update Monitor
F-Secure Gatekeeper Handler Starter
Fsbwsys
Fsdfwd
Fsma
Google Online Services
Inorpc
Inort
Inotask
Issvc
Klif
Kpf4
Lavasoftfirewall
Livesrv
Mcafeeframework
Mcshield
Mctaskmanager
Mpssvc
Navapsvc
Nod32Krn
Npfmntor
Nscservice
Outpost Firewall Main Module
Outpostfirewall
Pavfires
Pavfnsvr
Pavprot
Pavprsrv
Pavsrv
Pcctlcom
Personalfirewal
Prevsrv
Protoport Firewall Service
Psimsvc
Rapapp
Savroam
Sharedaccess
Smcservice
Sndsrvc
Spbbcsvc
Spider Fs Monitor For Windows Nt
Spider Guard File System Monitor
Spidernt
Symantec Antivirus
Symantec Antivirus Definition Watcher
Symantec Core Lc
Symantec Password Validation
Tmntsrv
Tmpfw
Umxagent
Umxcfg
Umxlu
Umxpol
Vsmon
Vsserv
Webrootdesktopfirewalldataservice
Webrootfirewall
Wscsvc
Xcomm
 
Terminates security-related processes
Win32/Sality.AU attempts to terminate security-related processes that contain any of the following strings:
 
A2CMD.
A2FREE
A2GUARD
A2SERVICE.
ADVCHK.
AGB.
AHPROCMONSERVER.
AIRDEFENSE
AKRNL.
ALERTSVC
AMON.
ANTIVIR
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWSCAN
ASWUPDSV.
AVAST
AVCENTER
AVCIMAN.
AVCONSOL.
AVENGINE.
AVESVC.
AVEVAL.
AVEVL32.
AVGAM
AVGCC.
AVGCC32.
AVGCHSVX.
AVGCSRVX.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNSX.
AVGNT.
AVGNTMGR
AVGSERV.
AVGTRAY.
AVGUARD.
AVGUPSVC.
AVGWDSVC.
AVINITNT.
AVIRA
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVSCHED32.
AVSERVER.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR
AVXQUAR.
AVZ.
BDSWITCH.
BITDEFENDER
BLACKD.
BLACKICE.
CAFIX.
CCEVTMGR.
CCSETMGR.
CFIAUDIT.
CFP.
CFPCONFIG.
CLAMTRAY.
CLAMWIN.
CUREIT
DEFENDERDAEMON
DEFWATCH.
DRVIRUS.
DRWADINS.
DRWEB
DWEBIO
DWEBLLIO
EKRN.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
F-SCHED.
F-STOPW.
FAMEH32.
FILEMON
FIREWALL
FORTICLIENT
FORTISCAN
FORTITRAY.
FPAVSERVER.
FPROTTRAY.
FPWIN.
FRESHCLAM.
FSAV32.
FSAVGUI.
FSBWSYS.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWARE
GUARDGUI.
GUARDNT.
GUARDXKICKOFF.
GUARDXSERVICE.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
IPTRAY.
ISAFE.
ISATRAY.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
MAMUTU
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTOS.
NTRTSCAN.
NTXCONFIG.
NUPGRADE.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
ONLINENT.
OP_MON.
OPSSVC.
OUTPOST
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PESTPATROL
PNMSRV.
PREVSRV.
PREVX
PSIMSVC.
QHONLINE.
QHONSVC.
QHSET.
QHWSCSVC.
QUHLPSVC.
RFWMAIN.
RTVSCAN.
RTVSCN95.
SALITY
SAPISSVC.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCANNINGPROCESS.
SCANWSCS.
SDHELP.
SDRA64.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERCPL.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
TMLISTEN.
TMNTSRV.
TMPROXY.
TNBUTIL.
TRJSCAN.
TROJAN.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCRMON.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBSCANX.
WINSSNOTIFY.
WRCTRL.
XCOMMSVR.
ZLCLIENT
ZONEALARM
 
Additionally, Virus:Win32/Sality.AU kills processes, which have following modules loaded:
 
  • DWEBLLIO
  • DWEBIO
 
Modifies Windows settings
Virus:Win32/Sality.AU modifies the registry to disable Windows Registry Editor:
Adds value: "DisableRegistryTools"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
 
The virus also modifies the registry to prevent viewing files with hidden attributes:
Adds value: "Hidden"
With data: "2"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
 
Lowers computer security
Virus:Win32/Sality.AU modifies the registry to bypass the Windows firewall:
Adds value: "<malware file name>:*:enabled:ipsec"
With data: "<malware file name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
The virus modifies other registry data that lower the security of the infected computer. It modifies the following registry data to change Windows Security Center and Windows Firewall settings.
 
Adds value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
 
Adds value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
 
Adds value: "AntiVirusDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
 
Adds value: "FirewallOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
 
Adds value: "FirewallDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
 
Adds value "EnableFirewall"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
 
Adds value "GlobalUserOffline"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 
Adds value: "EnableLUA"
With data: "0"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Downloads arbitrary files
Virus:Win32/Sality.AU attempts to download files from remote servers to the local drive, then decrypts and executes the downloaded files. We have observed the virus to connect to the following servers:
 
  • 89.119.67.154
  • kukutrustnet777.info
  • kukutrustnet888.info
  • kukutrustnet987.info
  • www.klkjwre9fqwieluoi.info
 
At the time of this writing, the requested files are unavailable for analysis.
 
Analysis by Marianne Mallen

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry subkey:
    HKCU\SOFTWARE\bntrp
  • The presence of the following file, which may be detected as Trojan:WinNT/Sality:
    %SystemRoot%\system32\drivers\amsint32.sys
  • The presence of the following file:
    %Temp%\2ff07.exe

Prevention


Alert level: Severe
First detected by definition: 1.87.789.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jul 28, 2010
This entry was first published on: Jul 30, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Virus.Win32.Sality.ag (Kaspersky)
  • W32/Sality.BD (Norman)
  • Win32.Sality.BK (VirusBuster)
  • W32/Sality.AG (Avira)
  • Win32.Sality.3 (BitDefender)
  • Win32/Sality.NBA (ESET)
  • Virus.Win32.Sality (Ikarus)
  • W32/Sality.AA (Panda)
  • Mal/Sality-D (Sophos)
  • Virus.Win32.Sality.at (Sunbelt Software)
  • W32.Sality.AE (Symantec)
  • PE_SALITY.BA-O (Trend Micro)