PE_SALITY.JER

 Modified by: Christopher Daniel So

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via flashdrives


This file infector may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It modifies certain registry entries to disable Security Center functions. Doing this allows this malware to execute its routines without being detected. It disables Task Manager, Registry Editor, and Folder Options. It modifies registry entries to hide files with System and Read-only attributes.

It infects by appending its code to target host files.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

02 Oct 2008

Payload:

Hides files and processes, Modifies system registry, Drops files

Arrival Details

This file infector may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Other System Modifications

This file infector adds the following line(s)/entry(ies) in the SYSTEM.INI file:

  • [MCIDRV_VER]
  • DEVICEMB={random numbers}

It adds the following registry keys:

HKEY_CURRENT_USER\Software\{user name}914

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

It modifies the following registry entries to disable Security Center functions:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = "1"

It modifies the following registry entries to hide files with System and Read-only attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"

File Infection

This file infector infects the following file types:

  • .EXE
  • .SCR

It infects by appending its code to target host files.

It avoids infecting folders containing the following strings:

  • AHEAD
  • SYSTEM

Propagation

This file infector drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]

;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe

;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe

;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters}

HOSTS File Modification

This file infector modifies the affected system's HOSTS files to prevent a user from accessing the following websites:

  • 82.165.237.14
  • 82.165.250.33
  • avp.com
  • ca.com
  • casablanca.cz
  • customer.symantec.com
  • d-eu-1f.kaspersky-labs.com
  • d-eu-1h.kaspersky-labs.com
  • d-eu-2f.kaspersky-labs.com
  • d-eu-2h.kaspersky-labs.com
  • d-ru-1f.kaspersky-labs.com
  • d-ru-1h.kaspersky-labs.com
  • d-ru-2f.kaspersky-labs.com
  • d-ru-2h.kaspersky-labs.com
  • d-us-1f.kaspersky-labs.com
  • d-us-1h.kaspersky-labs.com
  • d66.myleftnut.info
  • dispatch.mcafee.com
  • download.mcafee.com
  • downloads-us1.kaspersky.com
  • downloads1.kaspersky.com
  • downloads1.kaspersky.ru
  • downloads2.kaspersky.ru
  • downloads3.kaspersky.ru
  • downloads4.kaspersky.ru
  • downloads5.kaspersky.ru
  • eset.casablanca.cz
  • eset.com
  • f-secure.com
  • kaspersky-labs.com
  • kaspersky.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • metalhead2005.info
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • nod32.com
  • norton.com
  • rads.mcafee.com
  • secure.nai.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • u2.eset.com
  • u3.eset.com
  • u4.eset.com
  • u7.eset.com
  • update.symantec.com
  • updates-us1.kaspersky.com
  • updates.symantec.com
  • updates1.kaspersky.com
  • updates2.kaspersky.com
  • updates3.kaspersky.com
  • us.mcafee.com
  • viruslist.com
  • www.avp.com
  • www.ca.com
  • www.eset.com
  • www.f-secure.com
  • www.kaspersky.com
  • www.mcafee.com
  • www.microsoft.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.nod32.com
  • www.norton.com
  • www.sophos.com
  • www.symantec.com
  • www.trendmicro.com
  • www.viruslist.com

NOTES:

It creates the following registry entries to disable the Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

It infects executable files listed in the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It drops a copy of itself in the shared folders found on the affected system. It also drops an autorun.inf file on the said folders to enable its automatic execution.

  SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

5.883.00

FIRST VSAPI PATTERN DATE:

02 Oct 2008

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Restore modified and/or deleted registry value/s using this VBScript

To restore the modified and/or deleted registry value/s:

  1. Open Notepad.
    » For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type notepad then press Enter.
    » For Windows Vista and Windows 7 users, click Start, type notepad in the Search input field then press Enter.
  2. Copy and paste the following script:
  3. Save this file as C:\RESTORE.VBS.
  4. Run C:\RESTORE.VBS.
    » For Windows 2000, XP, and Server 2003 users, click Start>Run. In the Open input box, type C:\RESTORE.VBS then press Enter.
    » For Windows Vista and Windows 7 users, click Start, type C:\RESTORE.VBS in the Search input field then press Enter.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • GlobalUserOffline = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • EnableFirewall = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • DoNotAllowExceptions = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • {user name}914
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • Svc
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
    • FWCFG

Step 6

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: AntiVirusDisableNotify = "1"
      To: AntiVirusDisableNotify = ""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: AntiVirusOverride = "1"
      To: AntiVirusOverride = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: FirewallDisableNotify = "1"
      To: FirewallDisableNotify = ""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: FirewallOverride = "1"
      To: FirewallOverride = ""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: UacDisableNotify = "1"
      To: UacDisableNotify = ""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: UpdatesDisableNotify = "1"
      To: UpdatesDisableNotify = ""

Step 7

Remove these strings added by the malware/grayware/spyware in the HOSTS file

[ Learn More ]
    82.165.237.14
    82.165.250.33
    avp.com
    ca.com
    casablanca.cz
    customer.symantec.com
    d-eu-1f.kaspersky-labs.com
    d-eu-1h.kaspersky-labs.com
    d-eu-2f.kaspersky-labs.com
    d-eu-2h.kaspersky-labs.com
    d-ru-1f.kaspersky-labs.com
    d-ru-1h.kaspersky-labs.com
    d-ru-2f.kaspersky-labs.com
    d-ru-2h.kaspersky-labs.com
    d-us-1f.kaspersky-labs.com
    d-us-1h.kaspersky-labs.com
    d66.myleftnut.info
    dispatch.mcafee.com
    download.mcafee.com
    downloads-us1.kaspersky.com
    downloads1.kaspersky.com
    downloads1.kaspersky.ru
    downloads2.kaspersky.ru
    downloads3.kaspersky.ru
    downloads4.kaspersky.ru
    downloads5.kaspersky.ru
    eset.casablanca.cz
    eset.com
    f-secure.com
    kaspersky-labs.com
    kaspersky.com
    liveupdate.symantec.com
    liveupdate.symantecliveupdate.com
    mast.mcafee.com
    mcafee.com
    metalhead2005.info
    my-etrust.com
    nai.com
    networkassociates.com
    nod32.com
    norton.com
    rads.mcafee.com
    secure.nai.com
    securityresponse.symantec.com
    sophos.com
    symantec.com
    trendmicro.com
    u2.eset.com
    u3.eset.com
    u4.eset.com
    u7.eset.com
    update.symantec.com
    updates-us1.kaspersky.com
    updates.symantec.com
    updates1.kaspersky.com
    updates2.kaspersky.com
    updates3.kaspersky.com
    us.mcafee.com
    viruslist.com
    www.avp.com
    www.ca.com
    www.eset.com
    www.f-secure.com
    www.kaspersky.com
    www.mcafee.com
    www.microsoft.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.nod32.com
    www.norton.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.com
"

Step 8

Search and delete AUTORUN.INF files created by PE_SALITY.JER that contain these strings

[ Learn More ]
[AutoRun]

;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe

;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe

;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters}

Step 9

Scan your computer with your Trend Micro product to clean files detected as PE_SALITY.JER. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:
Remove the following strings that this malware added to SYSTEM.INI:

[MCIDRV_VER]
DEVICEMB={random numbers}

To edit SYSTEM.INI:
  1. Open SYSTEM.INI.
    » For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type SYSTEM.INI then press Enter.
    » For Windows Vista and Windows 7 users, click Start, type SYSTEM.INI in the Search input field then press Enter.
    This opens the file in your default text editor (usually Notepad).
  2. Locate and delete the the following lines:
    [MCIDRV_VER]
    DEVICEMB={random numbers}
  3. Close SYSTEM.INI. Click Yes when prompted to save.


Did this description help? Tell us how we did.

Related Malware