Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:W32/Sality.L
Date discovered:29/06/2006
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:77.824 Bytes
MD5 checksum:0b59dde5aef0895efb89fd32c06eaf67
VDF version:6.35.00.93
IVDF version:6.35.00.108 - Monday, July 3, 2006

 General Methods of propagation:
    Infects files
   • Local network


Aliases:
   •  Kaspersky: Email-Worm.Win32.VB.bf
   •  F-Secure: Email-Worm:W32/Rays.B
   •  Sophos: W32/Sality-AI
   •  Bitdefender: Trojan.Agent.VB.BFY
     AVG: Win32/Sality
   •  Grisoft: Win32/Sality
   •  Eset: Win32/Sality.NAE virus
     DrWeb: Win32.HLLW.Generic.98


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops malicious files
Infects files

 Files It copies itself to the following location:
   • %WINDIR%\FONTS\%random character string%.com



It modifies the following file:
   • %WINDIR%\system.ini



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\olemdb32.dl_

%SYSDIR%\olemdb32.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Sality.L

 Registry One of the following values is added in order to run the process after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TempCom"="%WINDIR%\FONTS\%random character string%.com"



The following registry keys are changed:

Various Explorer settings:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • "FullPath"="dword:0x00000000"
   New value:
   • "FullPath"="dword:0x00000001"

Various Explorer settings:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"="dword:0x00000001"
   • "HideFileExt"="dword:0x00000000"
   • "TaskbarGlomming"="dword:0x00000000"
   New value:
   • "Hidden"="dword:0x00000000"
   • "HideFileExt"="dword:0x00000001"
   • "TaskbarGlomming"="dword:0x00000000"

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
The following section is added to the infected file:  1 sections are added to the infected file.
   • krdata

Embedded - The virus inserts its code throughout the file (in one or more places).


Method:

This direct-action infector actively searches for files.


The following file is infected:

By file type:
   • *.exe

Die Beschreibung wurde erstellt von Chiaho Heng am Montag, 11. April 2011
Die Beschreibung wurde geändert von Chiaho Heng am Mittwoch, 13. April 2011

zurück . . . .