Virus.Win32.Sality_fd4515619f
not-a-virus:HEUR:AdWare.Win32.CrossRider.gen (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, Adware, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: fd4515619f6c98dfb2893e6ca39677f5
SHA1: 0acc0cdd6ad402cf82fea5e851470af16f602c84
SHA256: 91c66c5a092d7260641192376f71295bfeb85f4f38d47f00b6ac393b3bc27f07
SSDeep: 3072:95SGu/ol0ZdH8udmMcGvjOOQw0/HTI7VJUo6h3dzjTOSrvYP:L4QOVcGLOFw0PkVJUxhtzjTOSsP
Size: 191568 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-10-30 01:04:24
Analyzed on: WindowsXP SP3 32-bit
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
%original file name%.exe:312
The Virus injects its code into the following process(es):
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:312 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ie-error[1].gif (43 bytes)
Registry activity
The process %original file name%.exe:312 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "145"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas\695404737]
"35845605" = "390"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Aas]
"a2_7" = "50179021"
"a2_6" = "43011373"
"a2_5" = "35840834"
"a2_4" = "28674968"
"a2_3" = "21510217"
"a2_2" = "14347528"
"a2_1" = "7175664"
"a2_0" = "9832"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Aas]
"a2_9" = "64527510"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "8D482144D6AB9E65AB5D732E35BA327F2DCEC983D41A37D56DAFF40919CA9630CDF6902C1C5EAEE675386957562866F4069CED404BFAB7C8B60A4167F6A7847BEF830A6F30C03ADD6EA841B65CA653F5F5B7C53F251A450424A27E7AC478835F982AE213A3634E32F62DF34219E6C9D7744EEF2F97FD353F0C698D9D20F10EC0"
[HKCU\Software\Aas]
"a2_8" = "57358372"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C BF 74 53 FF 50 CD BA 2A 17 76 CD 7F 7E 89 DF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a1_0" = "3299283285"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F6A6577656C6C65727962617A6161722E6E65742F6C6F676F2E67696600687474703A2F2F63617361656261722E636F6D2E62722F6C6F676F2E67696600687474703A2F2F63616E6F7373616468756C652E696E2F6C6F676F2E67696600687474703A2F2F63616E7365736961736B6E65666573692E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F686F773267657468617A616E61742E686F2E66756E7069632E64652F6C6F676F2E67696600687474703A2F2F7777772E65766973686F702E64652F6C6F676F2E67696600687474703A2F2F6368696875616875617570696E67686F6D652E636F6D2F6C6F676F2E67696600687474703A2F2F64656861737061732E636F6D2F6C6F676F2E67696600687474703A2F2F64657664696A6974616C2E636F6D2F6C6F676F2E67696600687474703A2F2F736F6272656E61747572616C62722E6E65742F6C6F676F2E67696600687474703A2F2F6469726569746F7075626C69636F2E636F6D2E62722F6C6F676F2E676966"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_1" = "1129195820"
"a1_2" = "1603252887"
"a1_3" = "3592883066"
"a1_4" = "138977351"
"a1_5" = "3374050905"
"a1_6" = "109095674"
"a1_7" = "1584018921"
"a1_8" = "191387998"
"a1_9" = "3842876976"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| b58a562b755ed0289949a285b3f8a8a5 | c:\egrnkw.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 83898 | 83968 | 4.61102 | 5e5acccb765f21d6756dfa225c9cbb7d |
| .rdata | 90112 | 24450 | 24576 | 3.3004 | 6f7835a003d44762851e262f02b2a4dd |
| .data | 114688 | 12780 | 4608 | 2.41194 | 8f8fc7645a4814b0ed293d70c6637578 |
| .rsrc | 131072 | 77824 | 75264 | 5.53685 | b7e9b4b4bce6ba2b4df083938ad94cf3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Virus connects to the servers at the folowing location(s):
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
Explorer.EXE_1140_rwx_01E00000_00001000:
|explorer.exeM_1140_
Explorer.EXE_1140_rwx_03A00000_0108E000:
c:\windows
hXXp://jewellerybazaar.net/logo.gif
hXXp://casaebar.com.br/logo.gif
hXXp://canossadhule.in/logo.gif
hXXp://cansesiasknefesi.com/img/logo.gif
hXXp://how2gethazanat.ho.funpic.de/logo.gif
hXXp://VVV.evishop.de/logo.gif
hXXp://chihuahuaupinghome.com/logo.gif
hXXp://dehaspas.com/logo.gif
hXXp://devdijital.com/logo.gif
hXXp://sobrenaturalbr.net/logo.gif
hXXp://direitopublico.com.br/logo.gif
%System%\drivers\jomnk.sys
5192814616
.rsrc
.text
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:312
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ie-error[1].gif (43 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
