Virus.Win32.Sality_e1d5b7cf24

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Virus creates the following process(es):The Virus injects its code into the following process(es):

e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280
PALKAZ~1.EXE:740

File activity

The process e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280 makes changes in a file system.

The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Server.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PALKAZ~1.EXE (81671 bytes)

The process PALKAZ~1.EXE:740 makes changes in a file system.

The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
D:\ebqg.exe (103 bytes)
D:\disablejavawarnsec.exe (1176 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
D:\autorun.inf (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (741 bytes)
C:\bjigp.exe (103 bytes)
C:\autorun.inf (346 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (0 bytes)

Registry activity

The process e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280 makes changes in a system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 18 81 62 74 B1 24 E2 FE 2C 21 8F E8 EA 72 35"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process PALKAZ~1.EXE:740 makes changes in a system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3299283285"

[HKCU\Software\Aas\695404737]
"35845605" = "463"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "46481C6470CB6053A2944ECDB4DDE4665193DA4B365617F8DA3A7326E04FD138F32C7957E43E337B787B1FCE134E25C8FA8DDBE4C1B3A071973E11A56D33E05BAE13122A827142E165599DED991297931C47B4D5893CF802CE6B34169D08445CA2A755591705B86FAD56E544425A439E5A1200FA860F72B58819476DE5B7A125"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"43014726" = "0D00687474703A2F2F6B6C75637A6577736B6F2E676D696E612E706C2F696D616765732F78732E6A706700687474703A2F2F342D656475636174696F6E746563682E636F6D2F732E6A706700687474703A2F2F6172746535372E636F6D2E62722F696D616765732F78732E6A706700687474703A2F2F7777772E746F75722D73746172742E636F6D2E75612F696D616765732F6C6F676F662E67696600687474703A2F2F76756E677461756361722E636F6D2F696D616765732F78732E6A706700687474703A2F2F61686D65646661686D792E6E616D652F6C6F676F662E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F662E67696600687474703A2F2F726F63657374657266632E636F6D2F696D616765732F78732E6A706700687474703A2F2F736F6E656F2E66722F696D672F78732E6A706700687474703A2F2F6D656C696B6E616B69732E636F6D2F6C6F676F2E67696600687474703A2F2F7374726574666F7264656E64666C6167732E636F6D2F696D616765732F78732E6A706700687474703A2F2F7A6F6E61656C656374726F2E726F2F696D616765732F78732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E676966"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas\695404737]
"7169121" = "129"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 03 05 0C 9D 9E B1 EF 64 95 D0 93 76 0C 4D DD"

[HKCU\Software\Aas]
"a2_0" = "9832"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP]
"PALKAZ~1.EXE" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\PALKAZ~1.EXE:*:Enabled:ipsec"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate the original Virus's process (How to End a Process With the Task Manager).
2. Delete the original Virus file.
   
3. Delete or disinfect the following files created/modified by the Virus:

   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Server.exe (2712 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PALKAZ~1.EXE (81671 bytes)
   %WinDir%\system.ini (70 bytes)
   D:\ebqg.exe (103 bytes)
   D:\disablejavawarnsec.exe (1176 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
   D:\autorun.inf (236 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (741 bytes)
   C:\bjigp.exe (103 bytes)
   C:\autorun.inf (346 bytes)
   %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps