ThreatExpert Report: W32.Sality.AE, Virus.Win32.Sality.ag, W32/Sality.gen.z, Mal/Sality-D..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 24 September 2012, 09:49:10
Processing time: 8 min 13 sec
Submitted sample:

File MD5: 0x8908B9EE26538EB705982259F68191BF
File SHA-1: 0xD15BA6B74EE85A1E7F30EE62C4B0690EDD6AB168
Filesize: 147,837 bytes
Alias:

W32.Sality.AE [Symantec]
Virus.Win32.Sality.ag [Kaspersky Lab]
W32/Sality.gen.z [McAfee]
Mal/Sality-D [Sophos]
Virus:Win32/Sality.AT [Microsoft]
Virus.Win32.Virut [Ikarus]
Win32/Kashu.E [AhnLab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Generic	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\24092012-094914182.BMP	921,654 bytes	MD5: 0x69286F8E63CAAE3DDFB7457F872D4C5A SHA-1: 0xAE743B062FF44D604CDBF1F5A3D436BA5A155472	(not available)
2	%Temp%\24092012-094914182.JPG	29,771 bytes	MD5: 0x984D730EE9F007681461EB453A5DF9B0 SHA-1: 0xBF39CBD23118A41D53B819029E4A8548FC93B2BE	(not available)
3	%Temp%\24092012-094914182.TXT	426 bytes	MD5: 0xFC74EBB05A9D7B21DCE7099C0836A8AA SHA-1: 0xDCE84D3E96AD7511AB985CC98A440B705B49956D	(not available)
4	%Temp%\rose.JPG	16,549 bytes	MD5: 0xEA0FB3401ABA8E0CE1D0BD80F135B795 SHA-1: 0x9E2B99DD154A7D3D4A1CF5AAE2C9DAAA3CC82EB9	(not available)
5	[file and pathname of the sample #1] %System%\winlgon.exe	147,837 bytes	MD5: 0x8908B9EE26538EB705982259F68191BF SHA-1: 0xD15BA6B74EE85A1E7F30EE62C4B0690EDD6AB168	W32.Sality.AE [Symantec] Virus.Win32.Sality.ag [Kaspersky Lab] W32/Sality.gen.z [McAfee] Mal/Sality-D [Sophos] Virus:Win32/Sality.AT [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Kashu.E [AhnLab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
winlgon.exe	%System%\winlgon.exe	155,648 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	155,648 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

winlgon.exe = "%System%\winlgon.exe"

so that winlgon.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib]

vga.drv 640x480x32(BGR 0) = "31,31,31,31"

Other details

To mark the presence in the system, the following Mutex object was created:

uxJLpe1m

The following Host Names were requested from a host database:

192.5.5.241
yahhelper.no-ip.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
yahhelper.no-ip.org	27020

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\winlgon.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 27020:

00000000 | 3E3E 5500 3C3C FF21 F2FC 5F10 28B6 D32E | >>U.<<.!.._.(...
00000010 | 14F7 185E 768F 9DC2 0A7E DED7 C5FF 774C | ...^v....~....wL
00000020 | DE80 C60A FEB3 17D5 160E 3FAA 6A2B C12C | ..........?.j+.,
00000030 | EE71 6DA6 7901 3C3C 3234 3039 3230 3132 | .qm.y.<<24092012
00000040 | 2D30 3934 3931 3431 3832 2E54 5854 3C3C | -094914182.TXT<<
00000050 | 3432 373C 3C0D 0A23 2323 2323 2323 2323 | 427<<..#########
00000060 | 2323 2323 2323 2323 2323 2323 204C 4153 | ############ LAS
00000070 | 5420 544F 4B45 4E20 494E 464F 2023 2323 | T TOKEN INFO ###
00000080 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
00000090 | 2323 0D0A 0D0A 2323 2323 2323 2323 2323 | ##....##########
000000A0 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
000000B0 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
000000C0 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
000000D0 | 230D 0A0D 0A23 2323 2323 2323 2323 2323 | #....###########
000000E0 | 2323 2323 2323 2323 2323 204C 4153 5420 | ########## LAST
000000F0 | 4B45 5920 5354 524F 4B45 2023 2323 2323 | KEY STROKE #####
00000100 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
00000110 | 0D0A 0D0A 2323 2323 2323 2323 2323 2323 | ....############
00000120 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
00000130 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
00000140 | 2323 2323 2323 2323 2323 2323 2323 230D | ###############.
00000150 | 0A0D 0A23 2323 2323 2323 2323 2323 2323 | ...#############
00000160 | 2323 2323 2323 2323 2049 4E46 4543 5449 | ######## INFECTI
00000170 | 4F4E 2050 4154 4820 2023 2323 2323 2323 | ON PATH  #######
00000180 | 2323 2323 2323 2323 2323 2323 2323 0D0A | ##############..
00000190 | FF21 F2FC 5F10 28B6 D32E 14F7 185E 768F | .!.._.(......^v.
000001A0 | 9DC2 0A7E DED7 C5FF 774C DE80 C60A FEB3 | ...~....wL......
000001B0 | 17D5 160E 3FAA 6A2B C12C EE71 6DA6 7901 | ....?.j+.,.qm.y.
000001C0 | 0D0A 2323 2323 2323 2323 2323 2323 2323 | ..##############
000001D0 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
000001E0 | 2323 2323 2323 2323 2323 2323 2323 2323 | ################
000001F0 | 2323 2323 2323 2323 2323 2323 230D 0A   | #############..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.