SALITY


 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Infects files, Propagates via removable drives, Propagates via network shares, Downloaded from the Internet

A family of file infectors known to spread by infecting .EXE and .SCR files, SALITY malware also spreads via removable drives and network shares.

When infecting target files, SALITY follows certain rules such as avoiding files located in certain folders or avoiding files with certain strings in file names. It also avoids infecting files that have file names with more than 250 characters.

SALITY malware modifies the affected computer's HOSTS files to prevent access to certain websites. SALITY variants are also found to terminate antivirus-related processes.

SALITY connects to particular URLs and IPs to download its components.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Modifies HOSTS file, Terminates processes

Installation

This file infector drops the following files:

  • %System%\vcmgcd32.dll
  • %System%\vcmgcd32.dl_
  • {drive letter}:\ autorun.inf
  • %System%\drivers\{random file name}.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • {drive letter}:\{random}.exe/cmd/pif
  • {drive letter}:\{malware file name}.exe

Other System Modifications

This file infector adds the following registry keys:

HKEY_CURRENT_USER\Software\{random}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetServices\
SharedAccess\ParametersFirewallPolicy\StandardProfile
DisableNotifications = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetServices\
SharedAccess\ParametersFirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetServices\
SharedAccess\ParametersFirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
{malware path and name} = "{malware path and name}:*:Enabled:{infected file name}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and name} = "{malware path and name}:*:Enabled:ipsec"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\{random}
DisplayName = "{random}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\{random}
ErrorControl = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\{random}
ImagePath = "\??\%System%\drivers\{random file name}.sys"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\{random}
Start = "3"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\{random}
Type = "1"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is 2.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SafeBoot\Network

Other Details

This file infector connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.19.14/logo.gif
  • http://{BLOCKED}.{BLOCKED}.222.206/logos.gif
  • http://{BLOCKED}metgrup.com/images/logosa.gif
  • http://{BLOCKED}.{BLOCKED}.213.217/images/?{random}
  • http://{BLOCKED}overseas.net/images/xs2.jpg
  • http://{BLOCKED}o.cz/logo.gif
  • http://{BLOCKED}in.com.tr/images/logos.gif
  • http://{BLOCKED}ye.net/xs.jpg
  • http://{BLOCKED}hotel.com/images/logof.gif
  • http://{BLOCKED}ry.org/images/xs.jpg
  • http://{BLOCKED}lim.com.tr/images/xs2.jpg
  • http://{BLOCKED}x.com/xs.jpg
  • http://{BLOCKED}pie.in/images/xs.jpg
  • http://{BLOCKED}l.net/images/xs.jpg
  • http://{BLOCKED}mediaproduction.com/images/xs.jpg
  • http://{BLOCKED}e.co.uk/images/xs.jpg
  • http://{BLOCKED}t.com.tr/main.gif
  • http://cdn.{BLOCKED}a.com/images/image_redirect/shopwiki.com.gif
  • http://cdn.{BLOCKED}a.com/images/image_redirect/shopwiki.com.jpg
  • http://{BLOCKED}asa.com/images/logos.gif
  • http://{BLOCKED}tara.com/logof.gif
  • http://{BLOCKED}tingdestinations.com/?f
  • http://{BLOCKED}tingdestinations.com/images/logos.gif
  • http://{BLOCKED}so.com.br/s.jpg
  • http://{BLOCKED}scapeuk.com/xs.jpg
  • http://{BLOCKED}nt-eg.com/images/logosa.gif
  • http://{BLOCKED}ix.us/images/mainf.gif
  • http://{BLOCKED}ny.com/logos.gif
  • http://{BLOCKED}oletarianparty.org/logof.gif
  • http://g2.{BLOCKED}itech.com/xs.jpg
  • http://{BLOCKED}rtltd.com/img/xs.jpg
  • http://{BLOCKED}wing-tomorrow.org/images/s.jpg
  • http://{BLOCKED}nia.my1.ru/mainh.gif
  • http://{BLOCKED}rnajd.com/images/logo.gif
  • http://{BLOCKED}n-ferienhaus.com/logos.gif
  • http://{BLOCKED}hnes-server.de/cms/images/main.gif
  • http://{BLOCKED}m.de/images/main.gif
  • http://{BLOCKED}wel.fm.interia.pl/logos.gif
  • http://{BLOCKED}sh.com/images/mainf.gif
  • http://radio.{BLOCKED}b.ir/farhang/images/logos.gif
  • http://{BLOCKED}ie.com/images/logos.gif
  • http://{BLOCKED}tu.funpic.de/img/logos.gif
  • http://v11.{BLOCKED}abschirmkiste.de/foo?ip=120.89.55.2&port=3846&req=/logos.gif
  • http://www.{BLOCKED}becreatives.com/logos.gif
  • http://www.{BLOCKED}desk.org/images/xs.jpg
  • http://www.{BLOCKED}ogullari.com/logof.gif
  • http://www.{BLOCKED}zanbil.com/Images/logos.gif
  • http://www.{BLOCKED}ccorini.com/images/logos.gif
  • http://www.{BLOCKED}kkk4d.info/mrow_china/?id{random characters}
  • http://www.{BLOCKED}vns3sdsal.info/mrow_china/?id{random characters}
  • http://www.{BLOCKED}k.info/mrow_china/?id{random characters}
  • http://www.{BLOCKED}ine.com/s.jpg
  • http://www.{BLOCKED}-adv.com/gallery/Fusion/images/logos.gif
  • http://www.{BLOCKED}yservices.be/images/logos.gif
  • http://{BLOCKED}uncil.ya.funpic.de/images/logos.gif
  • http://{BLOCKED}tt.yo.funpic.de/logos.gif
  • http://{BLOCKED}avdar.blogspot.com/logos_s.gif
  • http://{BLOCKED}avdar.com/logos_s.gif
  • http://{BLOCKED}kalpilkogretim72.meb.k12.tr/images/logos.gif