Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Sality.AB.2
Date discovered:23/11/2010
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.10.06.132
IVDF version:7.10.14.82 - Tuesday, November 23, 2010

 General Methods of propagation:
   • Infects files


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Drooptroop.kyd
   •  F-Secure: Trojan-Dropper.Win32.Drooptroop.kyd
   •  Bitdefender: MemScan:Trojan.Generic.5211174
   •  AVG: Generic20.XAD
   •  Grisoft: Generic20.XAD
   •  Eset: Win32/Kryptik.ING
   •  DrWeb: Trojan.Packed.21232


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops a file
   • Drops a malicious file
   • Infects files

 Files It copies itself to the following location:
   • %HOME%\Start Menu\Programs\Startup\culuorba.exe



The following files are created:

– Non malicious file:
   • %PROGRAM FILES%\Internet Explorer\dm**********nf.dat

%executed file's name without extension%mgr.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: W32/Sality.AB.2

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.


Method:

This direct-action infector actively searches for files.


The following files are infected:

By file type:
   • Windows Executables (*.exe)
   • Windows Dynamic Link Libraries (*.dll)
   • HyperText Markup Language (*.htm/ *.html)

 Injection     Process name:
   • Iexplore.exe


Description inserted by Jason Soo on Wednesday, June 1, 2011
Description updated by Jason Soo on Thursday, June 2, 2011

Back . . . .