Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:29/06/2006
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:77.824 Bytes
MD5 checksum:0b59dde5aef0895efb89fd32c06eaf67
VDF version:
IVDF version: - Monday, July 3, 2006

 General Methods of propagation:
   • Infects files
   • Local network

   •  Kaspersky:
   •  F-Secure: Email-Worm:W32/Rays.B
   •  Sophos: W32/Sality-AI
   •  Bitdefender: Trojan.Agent.VB.BFY
   •  AVG: Win32/Sality
   •  Grisoft: Win32/Sality
   •  Eset: Win32/Sality.NAE virus
   •  DrWeb: Win32.HLLW.Generic.98

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops malicious files
   • Infects files

 Files It copies itself to the following location:
   • %WINDIR%\FONTS\%random character

It modifies the following file:
   • %WINDIR%\system.ini

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\olemdb32.dl_

%SYSDIR%\olemdb32.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Sality.L

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TempCom"="%WINDIR%\FONTS\%random character"

The following registry keys are changed:

Various Explorer settings:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   Old value:
   • "FullPath"="dword:0x00000000"
   New value:
   • "FullPath"="dword:0x00000001"

Various Explorer settings:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"="dword:0x00000001"
   • "HideFileExt"="dword:0x00000000"
   • "TaskbarGlomming"="dword:0x00000000"
   New value:
   • "Hidden"="dword:0x00000000"
   • "HideFileExt"="dword:0x00000001"
   • "TaskbarGlomming"="dword:0x00000000"

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The following section is added to the infected file:–  1 sections are added to the infected file.
   • krdata

Embedded - The virus inserts its code throughout the file (in one or more places).


This direct-action infector actively searches for files.

The following file is infected:

By file type:
   • *.exe

Description inserted by Chiaho Heng on Monday, April 11, 2011
Description updated by Chiaho Heng on Wednesday, April 13, 2011

Back . . . .