PE_SALITY.SM-O

January 11, 2017

Modified by: Michael Jay Villanueva

ALIASES:

Virus:Win32/Sality.AT (Microsoft); Virus.Win32.Sality.gen (Kaspersky); W32.Sality.AE (Symantec)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

Infection Channel: Propagates via removable drives, Downloaded from the Internet, Infects files

This file infector arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It does not have any backdoor routine.

It modifies the Internet Explorer Zone Settings.

TECHNICAL DETAILS

File Size: 99,328 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 08 Apr 2014

Payload: Connects to URLs/IPs, Terminates processes, Deletes files

Arrival Details

This file infector arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector drops the following file(s)/component(s):

%System%\drivers\{random}.sys

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

uxJLpe1m
Ap1mutx7

Other System Modifications

This file infector deletes the following files:

%User Temp%\win{random}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following line(s)/entry(ies) in the SYSTEM.INI file:

[MCIDRV_VER]
DEVICEMB={Random Numbers}

It adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc

HKEY_CURRENT_USER\Software\{random}

HKEY_CURRENT_USER\Software\{random}\
{random value}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random}
{1st Letter of Username}{Num}_{Num} = "{DWORD}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = "1"

HKEY_CURRENT_USER\Software\{random}\
{random value}
{random value} = "{value}"

HKEY_CURRENT_USER\Software\{random}\
{random value}
{random value} = "0"

HKEY_CURRENT_USER\Software\{random}\
{random value}
{random value} = "{random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:enabled:ipsec"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_CURRENT_USER\System\CurrentControlSet\
Control\SafeBoot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\ProfileList

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Stats

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Ext\
Stats

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects

File Infection

This file infector infects the following file types:

.EXE
.SCR

It avoids infecting files that contain the following strings in their names:

DAEMON.
NOTEPAD.EXE
WINMINE.EXE

Propagation

This file infector drops the following copies of itself in all physical and removable drives:

{Random Filename}.{exe/pif/cmd}

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

Note: The order of autorun.inf strings may vary and may contain a combination of uppercase and lowercase letters.
[AutoRun]
;{garbage characters}
shell\open\default = 1
;{garbage characters}
open = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\open\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\explore\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\autoplay\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}

Backdoor Routine

This file infector does not have any backdoor routine.

Process Termination

This file infector terminates processes or services that contain any of the following strings if found running in the affected system's memory:

AVPM.
A2GUARD
A2CMD.
A2SERVICE.
A2FREE
AVAST
ADVCHK.
AGB.
AKRNL.
AHPROCMONSERVER.
AIRDEFENSE
ALERTSVC
AVIRA
AMON.
TROJAN.
AVZ.
ANTIVIR
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ASWSCAN
AVCIMAN.
AVCONSOL.
AVENGINE.
AVESVC.
AVEVAL.
AVEVL32.
AVGAM
AVGCC.
AVGCHSVX.
AVGCSRVX.
AVGNSX.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVCENTER
AVGNTMGR
AVGSERV.
AVGTRAY.
AVGUARD.
AVGUPSVC.
AVGWDSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVAST
AVSERVER.
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR
AVXQUAR.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
BITDEFENDER
CCEVTMGR.
CFP.
CFPCONFIG.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CUREIT
DEFWATCH.
DRVIRUS.
DRWADINS.
DRWEB
DEFENDERDAEMON
DWEBLLIO
DWEBIO
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FILEMON
FIREWALL
FORTICLIENT
FORTITRAY.
FORTISCAN
FPAVSERVER.
FPROTTRAY.
FPWIN.
FRESHCLAM.
EKRN.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWARE
GUARDGUI.
GUARDNT.
GUARDXSERVICE.
GUARDXKICKOFF.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IPTRAY.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
MAMUTU
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTOS.
NTXCONFIG.
NUPGRADE.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST
ONLINENT.
OPSSVC.
OP_MON.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PESTPATROL
PNMSRV.
PREVSRV.
PREVX
PSIMSVC.
QUHLPSVC.
QHONLINE.
QHONSVC.
QHWSCSVC.
QHSET.
RFWMAIN.
RTVSCAN.
RTVSCN95.
SALITY
SAPISSVC.
SCANWSCS.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCANNINGPROCESS.
SDRA64.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERCPL.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
TMLISTEN.
TMNTSRV.
TMPROXY.
TNBUTIL.
TRJSCAN.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCRMON.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBSCANX.
WINSSNOTIFY.
WRCTRL.
XCOMMSVR.
ZLCLIENT
ZONEALARM

Web Browser Home Page and Search Page Modification

This file infector modifies the Internet Explorer Zone Settings.

Download Routine

This file infector connects to the following URL(s) to download its component file(s):

http://www.{BLOCKED}9fqwieluoi.info
http://{BLOCKED}p.com/sobaka.aspx
http://{BLOCKED}1.infoier
http://{BLOCKED}ustnet777888.info
http://{BLOCKED}.{BLOCKED}.67.154/testo5
http://{BLOCKED}ustnet777.info/home.gif
http://{BLOCKED}ustnet888.info/home.gif
http://{BLOCKED}ustnet987.info/home.gif

Other Details

This file infector does the following:

This file infector deletes files with the following extensions:
- .AVC
- .VDB
It also deletes the following services:
- Agnitum Client Security Service
- ALG
- Amon monitor
- aswUpdSv
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- BackWeb Plug-in - 4476822
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- fshttps
- InoRPC
- InoRT
- InoTask
- ISSVC
- LavasoftFirewall
- LIVESRV
- McAfeeFramework
- McShield
- McTaskManager
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SmcService
- SNDSrvc
- SPBBCSvc
- Symantec Core LC
- Tmntsrv
- TmPfw
- tmproxy
- UmxAgent
- UmxCfg
- UmxLU
- UmxPol
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
- WebrootFirewall
- XCOMM

SOLUTION

Minimum Scan Engine: 9.300

FIRST VSAPI PATTERN FILE: 10.652.03

FIRST VSAPI PATTERN DATE: 09 Mar 2014

VSAPI OPR PATTERN File: 10.653.00

VSAPI OPR PATTERN Date: 10 Mar 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Identify and delete files detected as PE_SALITY.SM-O using either the Startup Disk or Recovery Console

[ Learn More ]

To identify and delete the malware/grayware file:

• On Windows XP and Server 2003 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Click Start>Run. In the Open input box, type secpol.msc and press Enter.
In the left panel, double-click Local Policies>Security Options.
In the right panel, double-click Recovery Console: Allow floppy copy and access to all drives and folders.
Select Enabled and click OK.
Insert the Windows Installation CD into the CD drive, then restart your computer.
When prompted, press any key to boot from the CD.
On the main menu, type r to go to the Recovery Console.
Type the number that corresponds to the drive and directory that contains Windows (usually C:\WINDOWS) and press Enter.
Type the Administrator password and press Enter.
In the input box, type the following then press Enter:
SET AllowAllPaths = TRUE
del "{malware/grayware path and file name}"
Type exit and press Enter to restart the system normally.

• On Windows Vista, 7, and Server 2008 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
When prompted, press any key to boot from the CD.
Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
If the Startup Repair window appears, click Cancel, Yes, then Finish.
In the System Recovery Options window, click Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}"
Type exit and press Enter to close the Command Prompt window.
Click Restart to restart the system normally.

• On Windows 8, 8.1, and Server 2012 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Insert your Windows Installation DVD in the DVD drive, then restart your computer.
When prompted, press any key to boot from the DVD.
Depending on your Windows Installation DVD, you might be required to select the keyboard layout. Then on the Windows Setup window, choose your language, locale, and input method. Click Next, then click Repair your computer.
Click Troubleshoot>Advanced Options>Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}"
Type exit and press Enter to close the Command Prompt window.
Click Continue to restart the system normally.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\{random}
- {1st Letter of Username}{Num}_{Num} = "{DWORD}"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusOverride = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirewallDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirewallOverride = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UpdatesDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UacDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusOverride = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallOverride = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UpdatesDisableNotify = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UacDisableNotify = "1"
In HKEY_CURRENT_USER\Software\{random}\{random value}
- {random value} = "{value}"
In HKEY_CURRENT_USER\Software\{random}\{random value}
- {random value} = "0"
In HKEY_CURRENT_USER\Software\{random}\{random value}
- {random value} = "{random characters}"
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline = "0"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = "0"
In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- {malware path and file name} = "{malware path and file name}:*:enabled:ipsec"
In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- EnableFirewall = "0"
In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DoNotAllowExceptions = "0"
In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DisableNotifications = "1"

To delete the registry value this malware/grayware created:

Open Registry Editor.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on the lower-left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>{random}
In the right panel, locate and delete the entry:
{1st Letter of Username}{Num}_{Num} = "{DWORD}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center
In the right panel, locate and delete the entry:
AntiVirusOverride = "1"
Again In the right panel, locate and delete the entry:
AntiVirusDisableNotify = "1"
Again In the right panel, locate and delete the entry:
FirewallDisableNotify = "1"
Again In the right panel, locate and delete the entry:
FirewallOverride = "1"
Again In the right panel, locate and delete the entry:
UpdatesDisableNotify = "1"
Again In the right panel, locate and delete the entry:
UacDisableNotify = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center>Svc
In the right panel, locate and delete the entry:
AntiVirusOverride = "1"
Again In the right panel, locate and delete the entry:
AntiVirusDisableNotify = "1"
Again In the right panel, locate and delete the entry:
FirewallDisableNotify = "1"
Again In the right panel, locate and delete the entry:
FirewallOverride = "1"
Again In the right panel, locate and delete the entry:
UpdatesDisableNotify = "1"
Again In the right panel, locate and delete the entry:
UacDisableNotify = "1"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>{random}>{random value}
In the right panel, locate and delete the entry:
{random value} = "{value}"
Again In the right panel, locate and delete the entry:
{random value} = "0"
Again In the right panel, locate and delete the entry:
{random value} = "{random characters}"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings
In the right panel, locate and delete the entry:
GlobalUserOffline = "0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>system
In the right panel, locate and delete the entry:
EnableLUA = "0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile>AuthorizedApplications>List
In the right panel, locate and delete the entry:
{malware path and file name} = "{malware path and file name}:*:enabled:ipsec"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile
In the right panel, locate and delete the entry:
EnableFirewall = "0"
Again In the right panel, locate and delete the entry:
DoNotAllowExceptions = "0"
Again In the right panel, locate and delete the entry:
DisableNotifications = "1"
Close Registry Editor.

Step 5

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: Hidden = "2"
  To: Hidden = "1"

Step 6

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Step 7

Search and delete AUTORUN.INF files created by PE_SALITY.SM-O that contain these strings

[ Learn More ]

[AutoRun]
;{garbage characters}
shell\open\default = 1
;{garbage characters}
open = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\open\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\explore\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\autoplay\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}

To identify and delete AUTORUN.INF files created:

For Windows 2000, Windows XP, and Windows Server 2003:

Right-click the Start button then choose Search... or Find..., depending on the version of Windows you are running.
In the File name* input box, type:
AUTORUN.INF
In the Look in: drop-down list, select a drive, then press Enter.
Select the file, then open using Notepad.
Check if the following lines are present in the file:
[AutoRun]
;{garbage characters}
shell\open\default = 1
;{garbage characters}
open = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\open\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\explore\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\autoplay\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
If the lines are present, delete the file.
Repeat steps 3 to 6 for the remaining AUTORUN.INF files in other remaining removable drives.
Close Search Results.

*Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).

For Windows Vista, Windows 7, Windows Server 2003, Windows 8, Windows 8.1, and Windows Server 2012:

Open a Windows Explorer window.
- For Windows Vista, 7, and Server 2008 users, click Start>Computer.
- For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
In the Search Computer/This PC input box, type:
AUTORUN.INF
Select the file, then open using Notepad.
Check if the following lines are present in the file:
[AutoRun]
;{garbage characters}
shell\open\default = 1
;{garbage characters}
open = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\open\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\explore\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
shell\autoplay\command = {Random Filename}.{exe/pif/cmd}
;{garbage characters}
If the lines are present, delete the file.
Repeat steps 3 to 5 for the remaining AUTORUN.INF files in other remaining removable drives.
Close Search Results.

Step 8

Remove the following string/s that this malware/grayware added to these system configuration files

[ Learn More ]

[MCIDRV_VER]
DEVICEMB={Random Numbers}

Step 9

The following created files/folders/registry keys/registry entries cannot be identified by the user since there are no reference values in the created key. The only way it can be identified is by comparing the present system information with a backup. Note that the said components do not have to be deleted since it won't be harmful to the system.

%System%\drivers\{random}.sys
HKEY_CURRENT_USER\Software\{random}
HKEY_CURRENT_USER\Software\{random}\{random value}

Step 10

Scan your computer with your Trend Micro product to delete files detected as PE_SALITY.SM-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 11

Reset Internet security settings

[ Learn More ]

Did this description help? Tell us how we did.

PE_SALITY.SM-O

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters