Virus.Win32.Sality_a1fef972ca

by malwarelabrobot on April 30th, 2014 in Malware Descriptions.

Trojan.Win32.CoinMiner.f (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a1fef972ca278c0ac8a18c78a229fd00
SHA1: d4a2966728fc8b93d3343666af5dca7dbd80cfd1
SHA256: ab8611fa5c837b72a33e012e7dcfc5e5cd7e95a5400f05f59e50f37b21c1c769
SSDeep: 24576:RU7hnM4JhAjky95X4G1EUW rFPghl3FXnGBXNFNMTT2vuq/NNPhAmH3XQKD52Zs :RSNo8G2UWIFSlVnGBHNg8XF2ZsYdb
Size: 1889776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-19 03:48:03
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:376
Explorer.EXE:692

File activity

The process %original file name%.exe:376 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vroxtl.exe (741 bytes)
C:\fcsjgn.pif (103 bytes)
C:\autorun.inf (207 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vroxtl.exe (0 bytes)

Registry activity

The process %original file name%.exe:376 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "456026198"

[HKCU\Software\Aas\695404737]
"35845605" = "267"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "23E4F7F25F8A545EF07859773043475EDD1D103E2D9C27F1F3A268ED09F30DE884DB9D92FD831B72EEF599E8C233EB23FBE7145BFA46281679ED385593CEE8869548167F08C5681A4B967232DBC5E0E01EC06026FCE8B24FCB589B28C073413E3C9C326851C4731397E851C96D85B6EDDDAA4E25FA227776D385991927AE94FC"
"43014726" = "0800687474703A2F2F616C7468617772792E6F72672F696D616765732F78732E6A706700687474703A2F2F7777772E6361726565726465736B2E6F72672F696D616765732F78732E6A706700687474703A2F2F6172746875722E6E697269612E62697A2F78732E6A706700687474703A2F2F616D73616D65782E636F6D2F78732E6A706700687474703A2F2F6170706C652D7069652E696E2F696D616765732F78732E6A706700687474703A2F2F61686D65646979652E6E65742F78732E6A706700687474703A2F2F67322E6172726F776869746563682E636F6D2F78732E6A706700687474703A2F2F616D7079617A696C696D2E636F6D2E74722F696D616765732F7873322E6A7067"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "136"

"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 9F 28 33 31 29 4C ED B0 73 0E AA AB 84 93 1B"

[HKCU\Software\Aas]
"a2_0" = "8203"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Keyboard Inf." = "c:\%original file name%.exe"

Dropped PE files

MD5 File path
7e4a8d528583eaa7426ff579a405c2aa c:\fcsjgn.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.code 4096 30617 30720 3.69706 3a4bfcb59229041794d416569ecb170d
.text 36864 52141 52224 4.411 494809271f46b0b784725f6c52af2d69
.rdata 90112 228 512 0.771125 461cc1d3ae57efe5cf2a8f2051d02559
.data 94208 19484 18944 2.33296 7499e2fee4b7274eecaff15af525f4a4
.rsrc 114688 81920 79360 5.53825 b4ee9a89348a1fe3de5ae6a6745420a9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

%original file name%.exe_376:

.code
.text
`.rdata
@.data
.rsrc
D:\[Fan-Project]\[PB] Fan Admin\void\main.pb
D:\[Fan-Project]\[PB] Fan Admin\void\random.pb
D:\[Fan-Project]\[PB] Fan Admin\void\uda1vars.pb
D:\[Fan-Project]\[PB] Fan Admin\void\uda1.pb
D:\[Fan-Project]\[PB] Fan Admin\void\min.pb
D:\[Fan-Project]\[PB] Fan Admin\void\native.pb
D:\[Fan-Project]\[PB] Fan Admin\void\resources.pb
D:\[Fan-Project]\[PB] Fan Admin\void\process.pb
D:\[Fan-Project]\[PB] Fan Admin\void\crypo1.pb
D:\[Fan-Project]\[PB] Fan Admin\void\wrequest.pb
D:\[Fan-Project]\[PB] Fan Admin\void\string.pb
D:\[Fan-Project]\[PB] Fan Admin\void\settings.pb
D:\[Fan-Project]\[PB] Fan Admin\void\sets.pb
D:\[Fan-Project]\[PB] Fan Admin\void\run.pb
D:\[Fan-Project]\[PB] Fan Admin\void\protect.pb
D:\[Fan-Project]\[PB] Fan Admin\void\registry.pb
D:\[Fan-Project]\[PB] Fan Admin\void\mmdelay.pb
MSVCRT.dll
KERNEL32.dll
USER32.DLL
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
c:\%original file name%.exe
http://althawry.org/images/xs.jpg
http://www.careerdesk.org/images/xs.jpg
http://arthur.niria.biz/xs.jpg
http://amsamex.com/xs.jpg
http://apple-pie.in/images/xs.jpg
http://ahmediye.net/xs.jpg
http://g2.arrowhitech.com/xs.jpg
http://ampyazilim.com.tr/images/xs2.jpg
ssterfc.com/images/xs.jpg
http://soneo.fr/img/xs.jpg
http://meliknakis.com/logo.gif
http://stretfordendflags.com/images/xs.jpg
http://zonaelectro.ro/images/xs.jpg
http://68.168.222.206/logos.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50727)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
70282100110061095030
30328109411410996041
7077607540812082
607950633080
3043210361265096
70531108310251052064
3096410670968106
20623112610751114066

%original file name%.exe_376_rwx_0041D000_00011000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
.code
c:\%original file name%.exe
http://althawry.org/images/xs.jpg
http://www.careerdesk.org/images/xs.jpg
http://arthur.niria.biz/xs.jpg
http://amsamex.com/xs.jpg
http://apple-pie.in/images/xs.jpg
http://ahmediye.net/xs.jpg
http://g2.arrowhitech.com/xs.jpg
http://ampyazilim.com.tr/images/xs2.jpg
ssterfc.com/images/xs.jpg
http://soneo.fr/img/xs.jpg
http://meliknakis.com/logo.gif
http://stretfordendflags.com/images/xs.jpg
http://zonaelectro.ro/images/xs.jpg
http://68.168.222.206/logos.gif
.info/J
home.gifI888
.text
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50727)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

%original file name%.exe_376_rwx_00A10000_0108E000:

c:\windows
http://althawry.org/images/xs.jpg
http://www.careerdesk.org/images/xs.jpg
http://arthur.niria.biz/xs.jpg
http://amsamex.com/xs.jpg
http://apple-pie.in/images/xs.jpg
http://ahmediye.net/xs.jpg
http://g2.arrowhitech.com/xs.jpg
http://ampyazilim.com.tr/images/xs2.jpg
%System%\drivers\qlrig.sys
4908592321
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.code
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
http://
ipfltdrv.sys
www.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50727)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

%original file name%.exe_376_rwx_01AE0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.code

%original file name%.exe_376_rwx_01AF0000_00001000:

|%original file name%.exeM_376_

Explorer.EXE_692_rwx_00E70000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.code

Explorer.EXE_692_rwx_00E80000_00001000:

|explorer.exeM_692_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\system.ini (70 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vroxtl.exe (741 bytes)
    C:\fcsjgn.pif (103 bytes)
    C:\autorun.inf (207 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Keyboard Inf." = "c:\%original file name%.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now