McAfee > Theat Center > Virus Detail Page

Overview

Aliases

• W32/Sality.ae

• Worm.Win32.AutoRun.eiy (Kaspersky)

Characteristics

W32/Sality.ah is a parasitic virus that infects Win32 PE executable files.

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

• %Windir%\System32\Drivers\{random}.sys

It follows to create the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
• HKEY_CURRENT_USER\Software\{%UserName%}914

It may also modify system configuration via the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List
• SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

(Where %UserName% is the Windows logged in user ID)

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:

• WINDOWS
• SYSTEM
• SYSTEM32

It can also drop a copy of itself as asc3360pr.scr, asc3360pr.pif or asc3360pr.exe onto the following Windows drive types and creates an Autorun.inf to auto-execute itself:

• Unknown drive type (Type 0)
• Removable media (Type 2) - e.g. USB drives.
• Remote network drive (Type 4) - e.g. shared folders.

It may download additional malware from the folllowing site(s):

• hxxp://89.119.67.154
• hxxp://kukutrustnet777.info
• hxxp://kukutrustnet888.info
• hxxp://kukutrustnet987.info
• hxxp://www.kjwre9fqwieluoi.info
• hxxp://bpowqbvcfds677.info
• hxxp://bmakemegood24.com
• hxxp://bperfectchoice1.com
• hxxp://bcash-ddt.net
• hxxp://bddr-cash.net
• hxxp://btrn-cash.net
• hxxp://bmoney-frn.net
• hxxp://bclr-cash.net
• hxxp://bxxxl-cash.net
• hxxp://balsfhkewo7i487fksd.info
• hxxp://buynvf96.info

Services containing the following strings may be removed:

• Agnitum Client Security Service
• ALG
• aswUpdSv
• avast! Antivirus
• avast! Mail Scanner
• avast! Web ScannerAVP
• BackWeb Plug-in - 4476822
• bdss
• BGLiveSvc
• BlackICE
• CAISafe
• ccEvtMgr
• ccProxy
• ccSetMgr
• Eset Service
• F-Prot Antivirus Update Monitor
• fsbwsys
• FSDFWD
• F-Secure Gatekeeper Handler Starter
• fshttps
• FSMA
• InoRPC
• InoRT
• InoTask
• ISSVC
• KPF4
• LavasoftFirewall
• LIVESRV
• McAfeeFramework
• McShield
• McTaskManager
• navapsvc
• NOD32krn
• NPFMntor
• NSCService
• Outpost Firewall main module
• OutpostFirewall
• PAVFIRES
• PAVFNSVR
• PavProt
• PavPrSrv
• PAVSRV
• PcCtlCom
• PersonalFirewal
• PREVSRV
• ProtoPort Firewall service
• PSIMSVC
• RapApp
• SmcService
• SNDSrvc
• SPBBCSvc
• Symantec Core LC
• Tmntsrv
• TmPfw
• tmproxy
• UmxAgent
• UmxCfg
• UmxLU
• UmxPol
• vsmon
• VSSERV
• WebrootDesktopFirewallDataService
• WebrootFirewall
• XCOMM
  

It may also search and delete files containing the following extension(s) or string(s) in the filename:

• .vdb
• .key
• .avc

Symptoms

• Presence of the file(s) mentioned.
• Presence of the registry key(s) mentioned.
• Services listening on the network port(s) mentioned.
• Unexpected network traffic to one or more of the domain(s) mentioned.
• Executable files increase in size by 70 kilobytes.

Method of Infection

W32/Sality.ah searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 70 KB.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Sality.ae

• Worm.Win32.AutoRun.eiy (Kaspersky)

Characteristics

Characteristics -

W32/Sality.ah is a parasitic virus that infects Win32 PE executable files.

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

• %Windir%\System32\Drivers\{random}.sys

It follows to create the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
• HKEY_CURRENT_USER\Software\{%UserName%}914

It may also modify system configuration via the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List
• SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

(Where %UserName% is the Windows logged in user ID)

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:

• WINDOWS
• SYSTEM
• SYSTEM32

It can also drop a copy of itself as asc3360pr.scr, asc3360pr.pif or asc3360pr.exe onto the following Windows drive types and creates an Autorun.inf to auto-execute itself:

• Unknown drive type (Type 0)
• Removable media (Type 2) - e.g. USB drives.
• Remote network drive (Type 4) - e.g. shared folders.

It may download additional malware from the folllowing site(s):

• hxxp://89.119.67.154
• hxxp://kukutrustnet777.info
• hxxp://kukutrustnet888.info
• hxxp://kukutrustnet987.info
• hxxp://www.kjwre9fqwieluoi.info
• hxxp://bpowqbvcfds677.info
• hxxp://bmakemegood24.com
• hxxp://bperfectchoice1.com
• hxxp://bcash-ddt.net
• hxxp://bddr-cash.net
• hxxp://btrn-cash.net
• hxxp://bmoney-frn.net
• hxxp://bclr-cash.net
• hxxp://bxxxl-cash.net
• hxxp://balsfhkewo7i487fksd.info
• hxxp://buynvf96.info

Services containing the following strings may be removed:

• Agnitum Client Security Service
• ALG
• aswUpdSv
• avast! Antivirus
• avast! Mail Scanner
• avast! Web ScannerAVP
• BackWeb Plug-in - 4476822
• bdss
• BGLiveSvc
• BlackICE
• CAISafe
• ccEvtMgr
• ccProxy
• ccSetMgr
• Eset Service
• F-Prot Antivirus Update Monitor
• fsbwsys
• FSDFWD
• F-Secure Gatekeeper Handler Starter
• fshttps
• FSMA
• InoRPC
• InoRT
• InoTask
• ISSVC
• KPF4
• LavasoftFirewall
• LIVESRV
• McAfeeFramework
• McShield
• McTaskManager
• navapsvc
• NOD32krn
• NPFMntor
• NSCService
• Outpost Firewall main module
• OutpostFirewall
• PAVFIRES
• PAVFNSVR
• PavProt
• PavPrSrv
• PAVSRV
• PcCtlCom
• PersonalFirewal
• PREVSRV
• ProtoPort Firewall service
• PSIMSVC
• RapApp
• SmcService
• SNDSrvc
• SPBBCSvc
• Symantec Core LC
• Tmntsrv
• TmPfw
• tmproxy
• UmxAgent
• UmxCfg
• UmxLU
• UmxPol
• vsmon
• VSSERV
• WebrootDesktopFirewallDataService
• WebrootFirewall
• XCOMM
  

It may also search and delete files containing the following extension(s) or string(s) in the filename:

• .vdb
• .key
• .avc

Symptoms

Symptoms -

• Presence of the file(s) mentioned.
• Presence of the registry key(s) mentioned.
• Services listening on the network port(s) mentioned.
• Unexpected network traffic to one or more of the domain(s) mentioned.
• Executable files increase in size by 70 kilobytes.

Method of Infection

Method of Infection -

W32/Sality.ah searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 70 KB.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A