Virus:Win32/Sality.G and Virus:Win32/Sality.G.dll are variants if the Virus:Win32/Sality, a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. They may also download and execute arbitrary files from a remote server.
Virus:Win32/Sality.G.dll may be dropped and loaded as %systemroot%\system32\wmimgr32.dll by Virus:Win32/Sality.G. Virus:Win32/Sality.G.dll is loaded into other processes by installing a message hook (a function that enables Virus:Win32/Sality.G to load itself into other processes).
Virus:Win32/Sality.G.dll creates a mutex named "kuku_joker_v3.04" to prevent more than one instance of itself from running in the memory at the same time.
File infection / network shares
When executed, Virus:Win32/Sality.G drops the compressed payload and file infecting component (Virus:Win32/Sality.G.dll) as %systemroot%\system32\wmimgr32.dl_ and decompresses it as %systemroot%\system32\wmimgr32.dll.
Virus:Win32/Sality.G loads the decompressed payload component immediately, then
jumps back to the original code entry point of the infected file.
Virus:Win32/Sality.G.dll tries to infect PE files with extension ".EXE" and ".SCR" from local drives and network shares. Files protected by SFC (System File Check) or those whose file name contains following strings will not be infected:
Virus:Win32/Sality.G.dll tries to delete files with following extensions.
Downloads and executes arbitrary files
Virus:Win32/Sality.G.dll tries to download and execute files from a remote server. Files are downloaded to the %TEMP% directory then executed.
Note - %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000, XP and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for Vista and Windows 7 is C:\Users\<user name>\AppData\Local\Temp.
In the wild, we have observed Virus:Win32/Sality.G.dll attempting to download files from these domains:
Analysis by Shawn Wang