sality32

[Dreamer]

Discovered: June 4, 2003 Updated: August 8, 2012 2:28:32 PM Also Known As: W32/Kookoo-A [sophos] Type: Virus Systems Affected: Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software.

Infection

W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file.

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts.

Functionality

The W32.Sality family of threats has been around for some time as the first versions surfaced in 2003 and may have originated in Russia. At that time, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality.

Over the years the core functionalities remained the same but it has become more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.

As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.

It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.

The threat participates in a P2P botnet and receives URLs of additional files to download. Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.

The threat also attempts to disable security software and modify security configurations. It alters the safe mode functionality to ensure it remains on the compromised computer. To help hide its presence and ensure continuity of execution, it will inject itself into all running processes except processes that belong to the system, the local service or the network service.

SYMANTEC PROTECTION SUMMARY

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

• W32.Sality
  
• W32.HLLP.Sality.O
  
• W32.HLLP.Sality.Q
  
• W32.Sality.R
  
• W32.Sality.S
  
• W32.Sality.U
  
• W32.Sality.V
  
• W32.Sality.X
  
• W32.Sality.Y
  
• W32.Sality.AB
  
• W32.Sality.AE
  
• W32.Sality.AM
  

Antivirus (heuristic/generic)

• W32.HLLP.Sality!inf
  
• W32.Sality!dr
  
• W32.Sality.V!inf
  
• W32.Sality.Y!inf
  

Browser protection

Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

• HTTP W32.Sality Activity
  
• SMB Sality File Activity
  
• SMB Critical File Tamper Activity
  

Antivirus Protection Dates

• Initial Rapid Release version April 6, 2003
  
• Latest Rapid Release version October 16, 2012 revision 032
  
• Initial Daily Certified version April 6, 2003
  
• Latest Daily Certified version October 17, 2012 revision 002
  
• Initial Weekly Certified release date April 9, 2003
  

Threat Assessment

Wild

• Wild Level: Medium
  
• Number of Infections: 50 - 999
  
• Number of Sites: 10+
  
• Geographical Distribution: Medium
  
• Threat Containment: Easy
  
• Removal: Easy
  

Damage

• Damage Level: Medium
  
• Payload: Downloads files and URLs.
  
• Modifies Files: Infects files on local drives and removable media.
  
• Degrades Performance: Participation in a peer-to-peer (P2P) botnet may degrade performance.
  
• Compromises Security Settings: Lowers security settings and may disable security-related processes and applications.
  

Distribution

• Distribution Level: Medium
  
• Target of Infection: Executable files on local, removable and remote shared drives.
  

Ps:i am know that this virus is not new but last week i was download some app and sality totaly take over my pc hi first take over regedit then disable task manager and mess all exe files also the proof that sality32 is advanced virus is that kaspersky lab create special tool for remove this virus the tool name is sality killer.

Edited November 24, 2012 by gfx-er