Skip to main content

Virus.Win32.Sality_88ecf6e020


Trojan.StartPage.ZSB (BitDefender), Trojan:Win32/Virumulu.A (Microsoft), Trojan.Win32.Pasta.kri (Kaspersky), Virus.Win32.Sality.at (v) (VIPRE), Trojan.StartPage.49217 (DrWeb), Trojan.StartPage.ZSB (B) (Emsisoft), StartPage-NT (McAfee), W32.SillyFDC (Symantec), Trojan.Win32.Pasta (Ikarus), Trojan.StartPage.ZSB (FSecure), Generic_r.YA (AVG), Win32:Kukacka (Avast), PE_SALITY.RL (TrendMicro), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 88ecf6e0201394ef05447882d52bf490

SHA1: 46df57f65372ae327cb70004f1fab03eb5e2288d

SHA256: 4a2934f7a709b225b628e112339af1b22129ea8dca8fdff6f1b331c5077367ee

SSDeep: 3072:qQL/bCr7IPe5MLU3oc9BcuHSeiU2VUPIkp78:qQL/bCrSHthVOp8

Size: 231936 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 1991-04-26 11:52:23

Analyzed on: WindowsXP SP3 32-bit

Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):No processes have been created.The Virus injects its code into the following process(es):

cssrs.exe:3044
cssrs.exe:852
%original file name%.exe:2748

File activity

The process %original file name%.exe:2748 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00072846_Rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winpqtvh.exe (741 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000727E8_Rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\cssrs.exe (1281 bytes)
C:\autorun.inf (463 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
C:\qwqvj.exe (103 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\cssrs.exe (2562 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winpqtvh.exe (0 bytes)

Registry activity

The process cssrs.exe:3044 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 6A 39 67 9A D1 5A DB 9E 23 50 FC 25 83 2E DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process cssrs.exe:852 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 73 C3 14 A6 8D 06 00 79 35 86 C8 46 11 E3 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process %original file name%.exe:2748 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a4_36" = "258088356"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Internet Explorer\AboutURLs]
"Tabs" = "http://www.114116.info"

[HKCU\Software\Aas]
"a4_30" = "215073630"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a2_28" = "200730203"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a2_26" = "186394451"
"a2_27" = "193563047"

[HKCU\Software\Aas\695404737]
"7169121" = "129"

[HKCU\Software\Aas]
"a2_25" = "179235166"
"a2_22" = "157726012"
"a2_23" = "164895329"
"a2_20" = "143380219"
"a2_21" = "150548078"
"a2_7" = "50177222"
"a4_11" = "78860331"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.114116.info"

[HKCU\Software\Aas\695404737]
"35845605" = "463"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Aas]
"a4_10" = "71691210"
"a2_6" = "43011855"
"a2_5" = "35842072"
"a2_4" = "28676027"
"a2_3" = "21510861"
"a2_2" = "14341041"
"a2_1" = "7174278"
"a2_0" = "7005"
"a2_9" = "64526692"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "46481C6470CB6053A2944ECDB4DDE4665193DA4B365617F8DA3A7326E04FD138F32C7957E43E337B787B1FCE134E25C8FA8DDBE4C1B3A071973E11A56D33E05BAE13122A827142E165599DED991297931C47B4D5893CF802CE6B34169D08445CA2A755591705B86FAD56E544425A439E5A1200FA860F72B58819476DE5B7A125"

[HKCU\Software\Aas]
"a2_8" = "57344943"
"a1_28" = "3898948552"
"a1_12" = "825922261"
"a1_13" = "403945378"
"a1_10" = "2987639780"
"a1_11" = "58791782"
"a1_16" = "760911315"
"a1_17" = "302660683"
"a1_14" = "1113460503"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_18" = "3371584000"
"a1_19" = "3976137839"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_36" = "241268621"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AC 14 AB 2E 6A 4F 3D 5C 59 D7 57 B8 29 76 70"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue" = "1"

[HKCU\Software\Aas]
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a1_0" = "1211228002"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_33" = "253401768"
"a4_13" = "93198573"
"a4_38" = "272426598"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Aas]
"a4_12" = "86029452"
"a4_15" = "107536815"

[HKCU\Software\Aas\695404737]
"43014726" = "0D00687474703A2F2F6B6C75637A6577736B6F2E676D696E612E706C2F696D616765732F78732E6A706700687474703A2F2F342D656475636174696F6E746563682E636F6D2F732E6A706700687474703A2F2F6172746535372E636F6D2E62722F696D616765732F78732E6A706700687474703A2F2F7777772E746F75722D73746172742E636F6D2E75612F696D616765732F6C6F676F662E67696600687474703A2F2F76756E677461756361722E636F6D2F696D616765732F78732E6A706700687474703A2F2F61686D65646661686D792E6E616D652F6C6F676F662E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F662E67696600687474703A2F2F726F63657374657266632E636F6D2F696D616765732F78732E6A706700687474703A2F2F736F6E656F2E66722F696D672F78732E6A706700687474703A2F2F6D656C696B6E616B69732E636F6D2F6C6F676F2E67696600687474703A2F2F7374726574666F7264656E64666C6167732E636F6D2F696D616765732F78732E6A706700687474703A2F2F7A6F6E61656C656374726F2E726F2F696D616765732F78732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E676966"

[HKCU\Software\Aas]
"a4_14" = "100367694"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.114116.info"

[HKCU\Software\Aas]
"a4_17" = "121875057"
"a3_28" = "183865525"
"a4_16" = "114705936"
"a3_29" = "224867540"
"a4_19" = "136213299"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a4_18" = "129044178"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a4_24" = "172058904"
"a4_25" = "179228025"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a2_29" = "207897060"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a3_38" = "289377359"

"a1_22" = "3043988746"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"blank" = "http://www.114116.info"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.114116.info"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"HideFileExt" = "1"

[HKCU\Software\Aas]
"a2_24" = "172051666"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"

[HKCU\Software\Aas]
"a1_21" = "1788482465"
"a2_17" = "121878419"
"a2_16" = "114714455"
"a2_15" = "107543947"
"a2_14" = "100359779"
"a2_13" = "93193310"
"a2_12" = "86026708"
"a2_11" = "78859620"
"a2_10" = "71693911"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_26" = "169827315"
"a3_34" = "260325067"
"a2_19" = "136208824"
"a2_18" = "129046021"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_1" = "1248646716"
"a1_2" = "2929703579"
"a1_3" = "656244854"
"a1_4" = "1116828728"
"a1_5" = "3210431419"
"a1_6" = "1065974032"
"a1_7" = "112904693"
"a1_8" = "3024539217"
"a1_9" = "3243063350"
"a4_26" = "186397146"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.114116.info"

[HKCU\Software\Aas]
"a1_23" = "612572393"
"a1_29" = "259411080"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_20" = "3426680025"
"a3_30" = "231909751"
"a1_27" = "1288904525"
"a3_31" = "205278614"
"a1_26" = "607000963"
"a1_25" = "1809907629"
"a3_32" = "212854281"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"CheckedValue" = "1"

[HKCU\Software\Aas]
"a1_24" = "1084996545"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a1_38" = "3510404379"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_30" = "2222232883"
"a1_31" = "3472283004"
"a1_32" = "747699833"
"a1_33" = "3998843608"
"a1_34" = "960655144"
"a1_35" = "921507071"
"a1_36" = "1181138427"
"a1_37" = "2430505052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs" = "http://www.114116.info"

[HKCU\Software\Aas]
"a1_15" = "77382673"
"a2_31" = "222247643"
"a2_30" = "215078389"
"a2_33" = "236574186"
"a2_32" = "229416455"
"a2_35" = "250916704"
"a2_34" = "243747299"
"a2_37" = "265263322"
"a2_36" = "258082440"
"a2_38" = "272417873"

[HKCU\Software\Microsoft\Internet Explorer\AboutURLs]
"blank" = "http://www.114116.info"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TINTIMG" = "%Documents and Settings%\%current user%\Application Data\cssrs.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\system.ini (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00072846_Rar\%original file name%.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winpqtvh.exe (741 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000727E8_Rar\%original file name%.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\cssrs.exe (1281 bytes)
    C:\autorun.inf (463 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
    C:\qwqvj.exe (103 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\cssrs.exe (2562 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TINTIMG" = "%Documents and Settings%\%current user%\Application Data\cssrs.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps