ThreatExpert Report: W32.Sality!dr, Virus.Win32.Sality.bh, W32/Sality.dr, Troj/SalLoad-C..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 June 2012, 15:35:59
Processing time: 10 min 59 sec
Submitted sample:

File MD5: 0x6B720F4F8C3901818BBAB26D115299C6
File SHA-1: 0xD5A5788222805C3D6672561ECE3A67A6C3D433D7
Filesize: 103,140 bytes
Alias:

W32.Sality!dr [Symantec]
Virus.Win32.Sality.bh [Kaspersky Lab]
W32/Sality.dr [McAfee]
Troj/SalLoad-C [Sophos]
Virus.Win32.Sality [Ikarus]
Win32/Kashu.E [AhnLab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Modifies some system settings that may have negative impact on overall system security state.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	262 bytes	MD5: 0x647048CA4D2A3B86BD90104028020DCD SHA-1: 0x285792670FCDBFFCB4F91AD362C0E721C9BB29EC	W32/Autorun.worm!inf [McAfee] Mal/AutoInf-B [Sophos]
2	c:\herva.exe	103,140 bytes	MD5: 0x9C640FC1EFFE084C0972CACB468D27CA SHA-1: 0x01E9F6736C45E3FD600E1A31F46A806E1E5A23BB	W32.Sality!dr [Symantec] Virus.Win32.Sality.bh [Kaspersky Lab] W32/Sality.dr [McAfee] Troj/SalLoad-C [Sophos] Virus.Win32.Sality [Ikarus] Win32/Kashu.E [AhnLab]
3	[file and pathname of the sample #1]	103,140 bytes	MD5: 0x6B720F4F8C3901818BBAB26D115299C6 SHA-1: 0xD5A5788222805C3D6672561ECE3A67A6C3D433D7	W32.Sality!dr [Symantec] Virus.Win32.Sality.bh [Kaspersky Lab] W32/Sality.dr [McAfee] Troj/SalLoad-C [Sophos] Virus.Win32.Sality [Ikarus] Win32/Kashu.E [AhnLab]

The following files were modified:

%Windir%\system.ini
%System%\cmd.exe
%System%\mmc.exe
%System%\taskmgr.exe

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	86,016 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
HKEY_CURRENT_USER\Software\Apcrmkeh
HKEY_CURRENT_USER\Software\Apcrmkeh\-72398023
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

UacDisableNotify = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

AntiVirusOverride = 0x00000001
AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
FirewallOverride = 0x00000001
UpdatesDisableNotify = 0x00000001
UacDisableNotify = 0x00000001

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

EnableLUA = 0x00000000

[HKEY_CURRENT_USER\Software\Apcrmkeh\-72398023]

1919251285 = 0x000000A9
-456464726 = 0x00000000
1462786559 = 0x00000000
-912929452 = 0x00000023
1006321833 = 0x0000012B
-1369394178 = "0800687474703A2F2F77617474686169696E686B2E636F6D2F6C6F676F2E67696600687474703A2F2F637265737469616E696E2E6831322E72752F6C6F676F2E67696600687474703A2F2F6364666973616E2E6E65742F62616E6E65722F6C6F676F2E67696600687474703A2F2F6461616B6F6E2E69632E637A2F6C6
549857107 = "02FCC592A08F20EC108EAE122843664B7604817545B693CE2A212EFA664C5B872491292A3CA440C24238628D267C3A3D0023A11DC8D5FBBD7D14144D5D3EAB6E279B492609B5F5A5F169C3322902C55872A7ED250CECEBC571CACCF7D3706C88DC0117EBDD8822D7DC9CB4B9FF45E9B7532985ED52EDF0BB20BFA929D

[HKEY_CURRENT_USER\Software\Apcrmkeh]

U1_0 = 0xE4E3333C
U2_0 = 0x000015CB
U3_0 = 0x01036A29
U4_0 = 0x00000000
U1_1 = 0x09B40B81
U2_1 = 0x72656E62
U3_1 = 0x7366197C
U4_1 = 0x72657355
U1_2 = 0xAA5C09FF
U2_2 = 0xE4CAFC2F
U3_2 = 0xE5C98C83
U4_2 = 0xE4CAE6AA
U1_3 = 0xD7C2F837
U2_3 = 0x5730421C
U3_3 = 0x563333D6
U4_3 = 0x573059FF
U1_4 = 0xCA209D28
U2_4 = 0xC995D359
U3_4 = 0xC896A77D
U4_4 = 0xC995CD54
U1_5 = 0xB026EC62
U2_5 = 0x3BFB5945
U3_5 = 0x3AF82A80
U4_5 = 0x3BFB40A9
U1_6 = 0x2427B745
U2_6 = 0xAE6090D3
U3_6 = 0xAF63D9D7
U4_6 = 0xAE60B3FE
U1_7 = 0x1606550A
U2_7 = 0x20C60704
U3_7 = 0x21C54D7A
U4_7 = 0x20C62753
U1_8 = 0x8B4DB7F1
U2_8 = 0x932B87F0
U3_8 = 0x9228F081
U4_8 = 0x932B9AA8
U1_9 = 0x5F657490
U2_9 = 0x059111BA
U3_9 = 0x049267D4
U4_9 = 0x05910DFD
U1_10 = 0xA77BF099
U2_10 = 0x77F69E74
U3_10 = 0x76F5EB7B
U4_10 = 0x77F68152
U1_11 = 0xEED28FF1
U2_11 = 0xEA5BEEC4
U3_11 = 0xEB589E8E
U4_11 = 0xEA5BF4A7
U1_12 = 0x4D698E28
U2_12 = 0x5CC17EDC
U3_12 = 0x5DC20DD5
U4_12 = 0x5CC167FC
U1_13 = 0x9168E0EC
U2_13 = 0xCF26C501
U3_13 = 0xCE25B178
U4_13 = 0xCF26DB51
U1_14 = 0xE1D45CF7
U2_14 = 0x418C6D77
U3_14 = 0x408F248F
U4_14 = 0x418C4EA6
U1_15 = 0x61C25433
U2_15 = 0xB3F1D936
U3_15 = 0xB2F2ABD2
U4_15 = 0xB3F1C1FB
U1_16 = 0xFD18C06E
U2_16 = 0x26572914
U3_16 = 0x27545F79
U4_16 = 0x26573550
U1_17 = 0xF9ADEFE8
U2_17 = 0x98BCB41B
U3_17 = 0x99BFC28C
U4_17 = 0x98BCA8A5
U1_18 = 0xB4DED38A
U2_18 = 0x0B22023D
U3_18 = 0x0A2171D3
U4_18 = 0x0B221BFA
U1_19 = 0x045FC386
U2_19 = 0x7D879AE2
U3_19 = 0x7C84E566
U4_19 = 0x7D878F4F
U1_20 = 0xB4EE9FFE
U2_20 = 0xEFED1EC1
U3_20 = 0xEEEE688D
U4_20 = 0xEFED02A4
U1_21 = 0xC5B25247

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000]

Service = "amsint32"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "amsint32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000]

Service = "IpFilterDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "IP Traffic Filter Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\qijmn.sys"
DisplayName = "amsint32"

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusOverride =
FirewallOverride =

Other details

To mark the presence in the system, the following Mutex objects were created:

uxJLpe1m
Ap1mutx7

The following port was open in the system:

Port	Protocol	Process
6822	UDP	[file and pathname of the sample #1]

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.