Virus.Win32.Sality_607079af73
Trojan.Clive.B (BitDefender), Virus:Win32/Sality.AM (Microsoft), Trojan.Win32.Agent.aec (Kaspersky), Virus.Win32.Sality.ah (v) (VIPRE), Trojan.Clive.1 (DrWeb), Trojan.Clive.B (B) (Emsisoft), W32/Sality.gen.z (McAfee), W32.Sality.AE (Symantec), Virus.Win32.Sality (Ikarus), Trojan.Clive.B (FSecure), Worm/AutoRun.HL (AVG), Win32:Sality (Avast), PE_SALITY.JER (TrendMicro), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 607079af73e3af85f94fef92973a17fa
SHA1: 11c7f3e8951428fc765756504d1e26c366ee1c13
SHA256: 64e267ec209624b5fde899d9feafce2b8fca8f989bb4f7257f08dbe11d9eab11
SSDeep: 1536:3urtrYE4JDR5zZwJwtUqF98UGyk2TcAXtzdLnyWs1oosExV3IPD3CEc: JrYdlR56uFNGV2I4tzdwVK3Y
Size: 86528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-12-13 15:15:04
Analyzed on: WindowsXP SP3 32-bit
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
WINMINE.EXE:2260
WINMINE.EXE:556
NOTEPAD.EXE:3084
NOTEPAD.EXE:3216
NOTEPAD.EXE:3156
NOTEPAD.EXE:2520
netsh.exe:3064
The Virus injects its code into the following process(es):
soundmix.exe:3892
File activity
The process soundmix.exe:3892 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\whsl.exe (601 bytes)
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (31 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%System%\dllcache\zipexr.dll (1137 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\whsl.exe (0 bytes)
C:\6f56e (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
Registry activity
The process soundmix.exe:3892 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a4_0" = "0"
"a1_0" = "3432392762"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0300687474703A2F2F6D617474666F6C6C2E65752E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F6D616365646F6E69612E6D79312E72752F6C6F676F682E67696600687474703A2F2F534F536954455F41564552495F534F5369544545452E6861686168"
[HKCR\exefile\shell\open\command]
"(Default)" = "soundmix %1 %*"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"7169121" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "111"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 50 C6 B6 1B 2D DA CF 2E A9 51 0A 6A 92 D5 11"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\adm914]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"50183847" = "6A8EB8EE6F15FBC1B2341C5A79A1C8716A0B0671D611A9DFE588B5251BCB90F4C6D62AB00300E4C2DE90B64678C6E50F3BE6B13785ED32F13D93661E945F85AFDF0AA7F9AC495A362DD0668181CE388271C49738612462CF33BB804C75FABA62246831062E386CEA071D6823BFDF00DDF2D6FACF215C31DA9BEFC8A08EE26236"
[HKCU\Software\adm914]
"a2_0" = "5517"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%]
"soundmix.exe" = "%System%\soundmix.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The process WINMINE.EXE:2260 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 16 CD C9 6E 0D E2 AC 18 1B F7 63 1A 1C 25 34"
The process WINMINE.EXE:556 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C6 9C 0D F9 7F 9B 6F 84 B4 B7 6C B5 52 AD EE"
The process NOTEPAD.EXE:3084 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 5A D3 33 CC 32 E6 6C A8 8C 4D 99 DE 31 A5 32"
The process NOTEPAD.EXE:3216 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F AE E8 6D D3 92 C0 4E EB 3E BC C2 4B 3A F2 52"
The process NOTEPAD.EXE:3156 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 FA 28 86 A5 7F 8C 36 38 0C CE 8D EA 1C 37 F6"
The process NOTEPAD.EXE:2520 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 CA 1B D1 AF 7A D4 6D 81 DB 67 D1 FB 00 76 E0"
The process netsh.exe:3064 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 B4 8D D6 83 EE 44 89 A2 99 CC 34 9F 45 18 BB"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Virus modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 858 bytes in size. The following strings are added to the hosts file listed below:
| 61.129.115.198 | www.xldd.com |
| 61.129.115.198 | www.ojiang.com |
| 61.129.115.198 | www.shuixian.net |
| 61.129.115.198 | www.xlarea.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WINMINE.EXE:2260
WINMINE.EXE:556
NOTEPAD.EXE:3084
NOTEPAD.EXE:3216
NOTEPAD.EXE:3156
NOTEPAD.EXE:2520
netsh.exe:3064 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temp\whsl.exe (601 bytes)
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (31 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%System%\dllcache\zipexr.dll (1137 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
