Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:29/06/2006
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:77.824 Bytes
MD5 checksum:0b59dde5aef0895efb89fd32c06eaf67
VDF version:
IVDF version: - Monday, July 3, 2006

 General Methods of propagation:
    Infects files
   • Local network

   •  Kaspersky:
   •  F-Secure: Email-Worm:W32/Rays.B
   •  Sophos: W32/Sality-AI
   •  Bitdefender: Trojan.Agent.VB.BFY
     AVG: Win32/Sality
   •  Grisoft: Win32/Sality
   •  Eset: Win32/Sality.NAE virus
     DrWeb: Win32.HLLW.Generic.98

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Drops malicious files
Infects files

 Files It copies itself to the following location:
   • %WINDIR%\FONTS\%random character

It modifies the following file:
   • %WINDIR%\system.ini

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\olemdb32.dl_

%SYSDIR%\olemdb32.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Sality.L

 Registry One of the following values is added in order to run the process after reboot:

   • "TempCom"="%WINDIR%\FONTS\%random character"

The following registry keys are changed:

Various Explorer settings:

   Old value:
   • "FullPath"="dword:0x00000000"
   New value:
   • "FullPath"="dword:0x00000001"

Various Explorer settings:

   Old value:
   • "Hidden"="dword:0x00000001"
   • "HideFileExt"="dword:0x00000000"
   • "TaskbarGlomming"="dword:0x00000000"
   New value:
   • "Hidden"="dword:0x00000000"
   • "HideFileExt"="dword:0x00000001"
   • "TaskbarGlomming"="dword:0x00000000"

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
The following section is added to the infected file:  1 sections are added to the infected file.
   • krdata

Embedded - The virus inserts its code throughout the file (in one or more places).


This direct-action infector actively searches for files.

The following file is infected:

By file type:
   • *.exe

설명 삽입자 Chiaho Heng   2011년 4월 11일 월요일
설명 업데이트 Chiaho Heng   2011년 4월 13일 수요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.