PE_SALITY.JER
Windows 2000, Windows XP, Windows Server 2003
Threat Type: File infector
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Propagates via flashdrives
This file infector may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It modifies certain registry entries to disable Security Center functions. Doing this allows this malware to execute its routines without being detected. It disables Task Manager, Registry Editor, and Folder Options. It modifies registry entries to hide files with System and Read-only attributes.
It infects by appending its code to target host files.
It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.
TECHNICAL DETAILS
Varies
EXE
Yes
02 Oct 2008
Hides files and processes, Modifies system registry, Drops files
Arrival Details
This file infector may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Other System Modifications
This file infector adds the following line(s)/entry(ies) in the SYSTEM.INI file:
- [MCIDRV_VER]
- DEVICEMB={random numbers}
It adds the following registry keys:
HKEY_CURRENT_USER\Software\{user name}914
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
It modifies the following registry entries to disable Security Center functions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = "1"
It modifies the following registry entries to hide files with System and Read-only attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
(Note: The default value data of the said registry entry is 1.)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"
File Infection
This file infector infects the following file types:
- .EXE
- .SCR
It infects by appending its code to target host files.
It avoids infecting folders containing the following strings:
- AHEAD
- SYSTEM
Propagation
This file infector drops copies of itself in all removable drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun]
;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe
;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe
;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters}
HOSTS File Modification
This file infector modifies the affected system's HOSTS files to prevent a user from accessing the following websites:
- 82.165.237.14
- 82.165.250.33
- avp.com
- ca.com
- casablanca.cz
- customer.symantec.com
- d-eu-1f.kaspersky-labs.com
- d-eu-1h.kaspersky-labs.com
- d-eu-2f.kaspersky-labs.com
- d-eu-2h.kaspersky-labs.com
- d-ru-1f.kaspersky-labs.com
- d-ru-1h.kaspersky-labs.com
- d-ru-2f.kaspersky-labs.com
- d-ru-2h.kaspersky-labs.com
- d-us-1f.kaspersky-labs.com
- d-us-1h.kaspersky-labs.com
- d66.myleftnut.info
- dispatch.mcafee.com
- download.mcafee.com
- downloads-us1.kaspersky.com
- downloads1.kaspersky.com
- downloads1.kaspersky.ru
- downloads2.kaspersky.ru
- downloads3.kaspersky.ru
- downloads4.kaspersky.ru
- downloads5.kaspersky.ru
- eset.casablanca.cz
- eset.com
- f-secure.com
- kaspersky-labs.com
- kaspersky.com
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- mast.mcafee.com
- mcafee.com
- metalhead2005.info
- my-etrust.com
- nai.com
- networkassociates.com
- nod32.com
- norton.com
- rads.mcafee.com
- secure.nai.com
- securityresponse.symantec.com
- sophos.com
- symantec.com
- trendmicro.com
- u2.eset.com
- u3.eset.com
- u4.eset.com
- u7.eset.com
- update.symantec.com
- updates-us1.kaspersky.com
- updates.symantec.com
- updates1.kaspersky.com
- updates2.kaspersky.com
- updates3.kaspersky.com
- us.mcafee.com
- viruslist.com
- www.avp.com
- www.ca.com
- www.eset.com
- www.f-secure.com
- www.kaspersky.com
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.nod32.com
- www.norton.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.com
NOTES:
It creates the following registry entries to disable the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"
It infects executable files listed in the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It drops a copy of itself in the shared folders found on the affected system. It also drops an autorun.inf file on the said folders to enable its automatic execution.
SOLUTION
9.200
5.883.00
02 Oct 2008
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Restore modified and/or deleted registry value/s using this VBScript
To restore the modified and/or deleted registry value/s:
- Open Notepad.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type notepad then press Enter.
» For Windows Vista and Windows 7 users, click Start, type notepad in the Search input field then press Enter. - Copy and paste the following script:
- Save this file as C:\RESTORE.VBS.
- Run C:\RESTORE.VBS.
» For Windows 2000, XP, and Server 2003 users, click Start>Run. In the Open input box, type C:\RESTORE.VBS then press Enter.
» For Windows Vista and Windows 7 users, click Start, type C:\RESTORE.VBS in the Search input field then press Enter.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline = "0"
- GlobalUserOffline = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- EnableFirewall = "0"
- EnableFirewall = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DoNotAllowExceptions = "0"
- DoNotAllowExceptions = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- {malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"
- {malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software
- {user name}914
- {user name}914
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- Svc
- Svc
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
- FWCFG
- FWCFG
Step 6
Restore these modified registry values
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusDisableNotify = "1"
To: AntiVirusDisableNotify = ""
- From: AntiVirusDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusOverride = "1"
To: AntiVirusOverride = "0"
- From: AntiVirusOverride = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallDisableNotify = "1"
To: FirewallDisableNotify = ""
- From: FirewallDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallOverride = "1"
To: FirewallOverride = ""
- From: FirewallOverride = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: UacDisableNotify = "1"
To: UacDisableNotify = ""
- From: UacDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: UpdatesDisableNotify = "1"
To: UpdatesDisableNotify = ""
- From: UpdatesDisableNotify = "1"
Step 7
Remove these strings added by the malware/grayware/spyware in the HOSTS file
- 82.165.237.14
82.165.250.33
avp.com
ca.com
casablanca.cz
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
d66.myleftnut.info
dispatch.mcafee.com
download.mcafee.com
downloads-us1.kaspersky.com
downloads1.kaspersky.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
eset.casablanca.cz
eset.com
f-secure.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
metalhead2005.info
my-etrust.com
nai.com
networkassociates.com
nod32.com
norton.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
u2.eset.com
u3.eset.com
u4.eset.com
u7.eset.com
update.symantec.com
updates-us1.kaspersky.com
updates.symantec.com
updates1.kaspersky.com
updates2.kaspersky.com
updates3.kaspersky.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.eset.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.nod32.com
www.norton.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Step 8
Search and delete AUTORUN.INF files created by PE_SALITY.JER that contain these strings
;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe
;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe
;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters}
Step 9
Scan your computer with your Trend Micro product to clean files detected as PE_SALITY.JER. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Remove the following strings that this malware added to SYSTEM.INI:
[MCIDRV_VER]
DEVICEMB={random numbers}
- Open SYSTEM.INI.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type SYSTEM.INI then press Enter.
» For Windows Vista and Windows 7 users, click Start, type SYSTEM.INI in the Search input field then press Enter.
This opens the file in your default text editor (usually Notepad). - Locate and delete the the following lines:
[MCIDRV_VER]
DEVICEMB={random numbers} - Close SYSTEM.INI. Click Yes when prompted to save.
Did this description help? Tell us how we did.