Virus:W32/Sality.Y
Date discovered:06/08/2008
Type:File infector
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium to high
Static file:No
IVDF version:7.00.05.207
Engine version:8.01.01.018

 General Methods of propagation:
   • Infects files
   • Local network
   • Mapped network drives


Aliases:
   •  Symantec: W32.Sality.AE
   •  Mcafee: W32/Sality.gen
   •  Kaspersky: Virus.Win32.Sality.aa
   •  TrendMicro: PE_SALITY.JER
   •  F-Secure: Virus.Win32.Sality.aa
   •  Sophos: W32/Sality-AM
   •  Panda: W32/Sality.AK
   •  VirusBuster: Sality.AQ.Gen
   •  Bitdefender: Win32.Sality.OG


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files
   • Lowers security settings
   • Registry modification

 Files The following file is created:

%SYSDIR%\drivers\%random words%.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.5509

 File infection Infector type:

Embedded - The virus inserts its code throughout the file (in one or more places).


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 70.000 Bytes


The following files are infected:

By file type:
   • .EXE

Files in any the following paths and all their subpaths:
   • %dirve%
   • \\%local network computer%\%all shares%

 Registry The value of the following registry key is removed:

–  [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]


It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "c:\\%filename%"="c:\\%filename%:*:Enabled:ipsec"
   • "c:\windows\\system32\\ctfmon.exe"="c:\windows\\system32\\ctfmon.exe:*:Enabled:ipsec"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "AntiVirusDisableNotify"=dword:00000000
   • "FirewallDisableNotify"=dword:00000000
   • "UpdatesDisableNotify"=dword:00000000
   • "AntiVirusOverride"=dword:00000000
   • "FirewallOverride"=dword:00000000
   New value:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UacDisableNotify"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=dword:00000001
   New value:
   • "Hidden"=dword:00000002

 Miscellaneous Mutex:
It creates the following Mutex:
   • Op1mutx9

Description inserted by Razvan Olteanu on Monday, March 22, 2010
Description updated by Razvan Olteanu on Tuesday, March 30, 2010

Back . . . .