Nume:W32/Sality.AA
Descoperit pe data de:21/11/2008
Tip:File Infector
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu spre ridicat
Fisier static:Nu
Versiune IVDF:7.00.00.101 - Wednesday, October 17, 2007
Versiune motor de scanare:8.2.0.35

 General Metode de raspandire:
   • Reteaua locala
   • Discuri de retea mapate


Alias:
   •  Mcafee: W32/Sality.gen virus
   •  Kaspersky: Virus.Win32.Sality.aa
   •  F-Secure: Virus.Win32.Sality.aa
   •  Eset: Win32/Sality.NAU virus
   •  Bitdefender: Win32.Sality.OG


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Reduce setarile de securitate
   • Modificari in registri

 Registrii sistemului Se adauga in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
   • "AntiVirusOverride"=dword:00000001
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "UacDisableNotify"=dword:00000001



Urmatoarele chei din registri sunt modificate:

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=dword:00000001
   Noua valoare:
   • "Hidden"=dword:00000002

Dezactiveaza Windows XP Firewall:
– [HKLM\SOFTWARE\Microsoft\Security Center]
   Vechea valoare:
   • "AntiVirusDisableNotify"=dword:00000000
   • "FirewallDisableNotify"=dword:00000000
   • "UpdatesDisableNotify"=dword:00000000
   • "AntiVirusOverride"=dword:00000000
   • "FirewallOverride"=dword:00000000
   • "UacDisableNotify"=dword:00000000
   Noua valoare:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UacDisableNotify"=dword:00000001

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system]
   Vechea valoare:
   • "DisableTaskMgr"=dword:00000000
   • "DisableRegistryTools"=dword:00000000
   Noua valoare:
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

 Infectie de fisiere Metoda:
Virusul ramane activ in memorie in timp ce infecteaza fisiere.


Urmatoarele fisiere sunt infectate:
Dupa tipul fisierelor:
   • *.EXE

Description inserted by Viktor Graeber on Thursday, August 6, 2009
Description updated by Andrei Gherman on Wednesday, December 16, 2009

Back . . . .