Virus.Win32.Sality_4642e25093

by malwarelabrobot on February 23rd, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.Shopper.adw (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, Adware, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4642e25093a457e89643b5840f76fb8b
SHA1: f9781dc4ee09448f54f2b10eaafb316b85d1bfa7
SHA256: ffddc101cbbb8ca2ac581715b3b1de4bdf71716f38a2ce87a306f39cee8bfbcc
SSDeep: 24576:tVTnnungDmAyipYojZoTu3uzu2lnnQPL QgwpvDElGVjTkbwB2K:tRcgjZoTxyannBQV9DEIVEbwt
Size: 1506152 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-05 16:05:21
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:584
Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:584 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
C:\autorun.inf (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winrgoc.exe (741 bytes)
C:\mmsb.pif (103 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winrgoc.exe (0 bytes)

Registry activity

The process %original file name%.exe:584 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "4079183183"

[HKCU\Software\Aas\695404737]
"35845605" = "126"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "1D871A696EEE8AC56F63CE2EBB23BA3471EF18EB1AA3AB551FF3A8B9F9C54AE9431FACFD2B3D2E7A746A1A9876DCFBDD7893F06B7D08BBD7EEB6BC659DA39F212059974A104C0E2FD36C5C5FA138C2A156496BA865106B76FF46E58563580A15F9928C36BA1D4CA04C4CBEC667525967886DE75CC2A91418D983CFE25BC2E3CC"
"43014726" = "0400687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F35302E32332E3234362E3138312F6C6F676F2E67696600687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F3231362E31322E3231392E35382F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "164"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 49 24 5C 24 FC FF F0 83 63 71 AA 1E 76 CD C0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_0" = "8092"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Dropped PE files

MD5 File path
79316298553fa6d4fe460c9b150ae264 c:\mmsb.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: GOOBZO
Product Name: YouTube Accelerator
Product Version: 1.0.0.1
Legal Copyright: Copyright (c) 2013 GOOBZO Ltd.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 89973 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 94208 24108 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 118784 12068 0 0 d41d8cd98f00b204e9800998ecf8427e
.text1 131072 720896 663552 4.49187 22f650444521bea54d1a0305ba772395
.adata 851968 65536 53248 0 938d6d97628275a512e07c66be5ccecf
.data1 917504 196608 118784 3.17098 4248d0ab327fc07ec4e9142ac7343aa6
.pdata 1114112 589824 581632 5.5416 5d25202f49e460dc50e626274566a9be
.rsrc 1703936 77824 77824 5.47156 93475c42404713f40ff95713ff967ce3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

%original file name%.exe_584:

.text
`.rdata
@.data
.text1
.adata
.data1
.pdata
.rsrc
aSSSh
FTPjK
FtPj;
C.PjRV
]@ ]( ]8
tGHt.Ht&
FTPQ
.?AVunsupported_thread_option@boost@@
N.ZXCN
zcÁ
SetProcessShutdownParameters
kernel32.dll
COMCTL32.DLL
boost::too_few_args: format-string referred to more arguments than were passed
boost::too_many_args: format-string referred to less arguments than were passed
Required USB Key not found
Failed to execute target process
Cannot find import; DLL may be missing, corrupt, or wrong version
File "%s", function "%s"
File "%s", ordinal %d
File "%s", error %d
(Error code %d)
%X:DAF
(Location XEB, error code %d)
_PAD%d
RNX
%X::DAX
KERNEL32.DLL
.DbgLog
GetWindowsDirectoryW
CreateDialogIndirectParamW
Kernel32.dll
User32.dll
ComDlg32.dll
1.2.3
EXCEPTION_FLT_INVALID_OPERATION
EXCEPTION_FLT_DENORMAL_OPERAND
boost::unsupported_thread_option
mscoree.dll
Visual C   CRT: Not enough memory to complete call to strerror.
.mixcrt
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
USER32.DLL
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
c:\4642e25093a457e89643b5840f76fb8b-2.DbgLog
c:\%original file name%.exe
GetWindowsDirectoryA
KERNEL32.dll
EnumThreadWindows
EnumWindows
CreateDialogIndirectParamA
GetAsyncKeyState
USER32.dll
GDI32.dll
comdlg32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
^.Ad/
.Zvv[
j%FwL
e.tu/
5%up/
A.YNpN\n
%Um-IF
.BV$L|
%X1:S
`?T%Sj
%x@k4
.iyDY
j.Wsf
Cr.BxL
V.Fb7|
$"bM-Q}n
%x R\X
4%sPp
_%S3@
.LvHT
.owm;y,
}R.zmA
.bi@{
>I|.pt|d
t_\A
p}.GF
G){.mf
.xh$x
U.gs!
J|0.tL
.iJp`
.zE:aG
.7%Xs
-DED%xFqz
%cnzb
%UQzss
1%.Ey\=
/\%Dg
.FlC\5
.cA~;
P?=I_.or\
E.yb|4
%SuSw
T.UHuR
%d[n7,
e.jAO
/H.bT-
/l%u?
g.Mvt
t%uE:V
.eNzT]
hf.Sw=
lf%X*
.bS]J
e.GGmr
3%UzO
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
SHELL32.DLL
ShellExecuteA
%original file name%.exe
 =.ztj
hXXp://184.173.238.140/logo.gif
hXXp://50.23.246.181/logo.gif
hXXp://216.12.219.58/logo.gif
/fmain.gif
hXXp://shreeramworld.com/images/logo.gif
hXXp://VVV.cateringdeva.ro/img/fmain.gif
hXXp://bjmediaedu.com/images/logo.gif
hXXp://centroquiropraxia.com.br/images/logo.gif
hXXp://blryan.com/logo.gif
hXXp://chaloosrood.com/images/logo.gif
hXXp://buket-fmm.atspace.com/logo.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
a457e89643b5840f76fb8b.exe
1.0.0.1

%original file name%.exe_584_rwx_005A2000_00010000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
c:\%original file name%.exe
 =.ztj
hXXp://184.173.238.140/logo.gif
hXXp://50.23.246.181/logo.gif
hXXp://216.12.219.58/logo.gif
/fmain.gif
hXXp://shreeramworld.com/images/logo.gif
hXXp://VVV.cateringdeva.ro/img/fmain.gif
hXXp://bjmediaedu.com/images/logo.gif
hXXp://centroquiropraxia.com.br/images/logo.gif
hXXp://blryan.com/logo.gif
hXXp://chaloosrood.com/images/logo.gif
hXXp://buket-fmm.atspace.com/logo.gif
.info/J
home.gifI888
.text
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

%original file name%.exe_584_rwx_00BA0000_0108E000:

c:\windows
hXXp://184.173.238.140/logo.gif
hXXp://50.23.246.181/logo.gif
hXXp://216.12.219.58/logo.gif
 =.ztj
%System%\drivers\mmljk.sys
2754536007
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

Explorer.EXE_888_rwx_01EA0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc

%original file name%.exe_584_rwx_01C80000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc

%original file name%.exe_584_rwx_01C90000_00001000:

|%original file name%.exeM_584_

Explorer.EXE_888_rwx_01FB0000_00001000:

|explorer.exeM_888_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\system.ini (70 bytes)
    C:\autorun.inf (195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winrgoc.exe (741 bytes)
    C:\mmsb.pif (103 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now