PE_SALITY.RL1-O

October 08, 2012
 Analysis by: Christopher Daniel So
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Infects files, Copies itself in all available physical drives

This Trojan disables Task Manager, Registry Editor, and Folder Options.

It drops copies of itself in all removable and physical drives found in the system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

03 Sep 2010

Payload:

Drops files, Connects to URLs/Ips

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\{random characters}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:ipsec"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Type = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Start = 3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
ErrorControl = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
ImagePath = "\??\%System%\drivers\{random file name}.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
DisplayName = "amsint32"

It modifies the following registry entries:

HKEY_CURRENT_USER
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = 1

File Infection

This Trojan infects the following file types:

  • .EXE
  • .SCR

This is the Trend Micro detection for files infected by:

  • PE_SALITY.RL

Propagation

This Trojan drops copies of itself in all removable and physical drives found in the system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun];
{garbage characters}
shELl\EXplOrE\cOmMand= {random file name}.exe;
{garbage characters}
sheLL\OPen\cOMMaND = {random file name}.exe;
{garbage characters}
shEll\open\DefAuLt=1;
{garbage characters}
OPen= {random file name}.exe;
{garbage characters}
shelL\aUToPLAy\command = {random file name}.exe

Dropping Routine

This Trojan drops the following files:

  • %System%\drivers\{random file name}.sys - detected as RTKT_SALITY.BA

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other Details

This Trojan attempts to access the following websites to download files, which are possibly malicious:

  • http://{BLOCKED}.{BLOCKED}.19.14/logo.gif
  • http://{BLOCKED}metgrup.com/images/logosa.gif
  • http://{BLOCKED}asa.com/images/logos.gif
  • http://{BLOCKED}tara.com/logof.gif
  • http://{BLOCKED}nt-eg.com/images/logosa.gif
  • http://{BLOCKED}wel.fm.interia.pl/logos.gif
  • http://{BLOCKED}lie.com/images/logos.gif
  • http://www.{BLOCKED}becreatives.com/logos.gif
  • http://www.{BLOCKED}ogullari.com/logof.gif
  • http://{BLOCKED}uncil.ya.funpic.de/images/logos.gif

It does the following:

  • It deletes the file %System%\drivers\{random file name}.sys after adding and running the service amsint32.

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI OPR PATTERN File:

7.435.00

VSAPI OPR PATTERN Date:

04 Sep 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by PE_SALITY.RL1-O

    PE_SALITY.RL

Step 3

Identify and terminate files detected as PE_SALITY.RL1-O

[ Learn More ]
  1. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  2. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

To enable Registry Editor, Task Manager, and Folder options:

  1. Open Notepad. To do this, click Start>Run, type Notepad in the text box provided, then press Enter.
  2. Copy and paste the following script:
  3. Save this file as C:RESTORE.VBS.
  4. Click Start>Run again, type C:RESTORE.VBS in the text box provided, then press Enter.
  5. Click Yes at the prompt of the message box to execute the .VBS file.

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • {random characters}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • amsint32

Step 6

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • UacDisableNotify=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • AntiVirusDisableNotify=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • AntiVirusOverride=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • FirewallDisableNotify=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • FirewallOverride=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • UacDisableNotify=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • UpdatesDisableNotify=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableLUA=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • DoNotAllowExceptions=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • DisableNotifications=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {malware path and file name}={malware path and file name}:*:Enabled:ipsec

Step 7

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: Hidden=2
      To: Hidden=1

Step 8

Search and delete AUTORUN.INF files created by PE_SALITY.RL1-O that contain these strings

[ Learn More ]
[AutoRun];
{garbage characters}
shELl\EXplOrE\cOmMand= {random file name}.exe;
{garbage characters}
sheLL\OPen\cOMMaND= {random file name}.exe;
{garbage characters}
shEll\open\DefAuLt=1;
{garbage characters}
OPen= {random file name}.exe;
{garbage characters}
shelL\aUToPLAy\command = {random file name}.exe

Step 9

Scan your computer with your Trend Micro product to delete files detected as PE_SALITY.RL1-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.