Content

W32/Sality.ae

Type
Virus
SubType
Parasitic
Discovery Date
04/22/2008
Length
varies
Minimum DAT
5279 (04/22/2008)
Updated DAT
5760 (10/03/2009)
Minimum Engine
5.1.00
Description Added
04/22/2008
Description Modified
05/01/2008 7:27 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Sality.ae is a parasitic virus that infects Win32 PE executable files.

Upon execution, it drops the following files into the Windows system directory:

  • %Windir%\System32\Hdaudprop.dll
  • %Windir%\System32\Hdaudpropres.dll
  • %Windir%\System32\Hdaudpropshortcut.exe
  • %Windir%\System32\drivers\Hdaudbus.sys
  • %Windir%\System32\drivers\Hdaudio.sys
  • %Windir%\System32\drivers\portcls.sys

Creates the following registry keys:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
  • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

Downloads further malware from the following domains:

  • bpowqbvcfds677.info
  • aapowqbvcfds677.info
  • abpowqbvcfds677.info
  • d98dc9.bpowqbvcfds677.info
  • bmakemegood24.com
  • d99395.bmakemegood24.com
  • bbeakemegood24.com
  • bperfectchoice1.com
  • d998b6.bperfectchoice1.com
  • cbparfectchoice1.com
  • cbpbrfectchoice1.com
  • bcash-ddt.net
  • d9aab7.bcash-ddt.net
  • pzrk.ru
  • dbcabh-ddt.net
  • bddr-cash.net
  • ebddrbcash.net

Symptoms

Existing Windows PE executable files grow in length of 50 Kb.
Unexpected network traffic to one or more of the domains mentioned above.

Method of Infection

W32/Sality.ae searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 50Kb.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

W32/Sality.ae is a parasitic virus that infects Win32 PE executable files.

Upon execution, it drops the following files into the Windows system directory:

  • %Windir%\System32\Hdaudprop.dll
  • %Windir%\System32\Hdaudpropres.dll
  • %Windir%\System32\Hdaudpropshortcut.exe
  • %Windir%\System32\drivers\Hdaudbus.sys
  • %Windir%\System32\drivers\Hdaudio.sys
  • %Windir%\System32\drivers\portcls.sys

Creates the following registry keys:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
  • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

Downloads further malware from the following domains:

  • bpowqbvcfds677.info
  • aapowqbvcfds677.info
  • abpowqbvcfds677.info
  • d98dc9.bpowqbvcfds677.info
  • bmakemegood24.com
  • d99395.bmakemegood24.com
  • bbeakemegood24.com
  • bperfectchoice1.com
  • d998b6.bperfectchoice1.com
  • cbparfectchoice1.com
  • cbpbrfectchoice1.com
  • bcash-ddt.net
  • d9aab7.bcash-ddt.net
  • pzrk.ru
  • dbcabh-ddt.net
  • bddr-cash.net
  • ebddrbcash.net

Symptoms

Symptoms -

Existing Windows PE executable files grow in length of 50 Kb.
Unexpected network traffic to one or more of the domains mentioned above.

Method of Infection

Method of Infection -

W32/Sality.ae searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 50Kb.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A