ThreatExpert Report: Virus.Win32.Sality.aa, W32/Sality.gen, PE

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 12 July 2012, 05:48:58
Processing time: 11 min 41 sec
Submitted sample:

File MD5: 0xD124946AEF92ABB03C3008A1D020CC8F
File SHA-1: 0xD7FD74DCD86073AA81B5F62617F43E06BDAF82A7
Filesize: 875,659 bytes
Alias:

Virus.Win32.Sality.aa [Kaspersky Lab]
W32/Sality.gen [McAfee]
PE_SALITY.EK [Trend Micro]
W32/Sality-AM [Sophos]
Virus.Win32.Sality [Ikarus]
Win32/Kashu.B [AhnLab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Tibo Software\Jp2Lite\Storage\84be8166-61e8-4ada-b915-ae59ca3df3b9\fuse.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%Temp%\00017E81_Rar\[filename of the sample #1] %Temp%\00031473_Rar\[filename of the sample #1] [file and pathname of the sample #1]	875,659 bytes	MD5: 0xD124946AEF92ABB03C3008A1D020CC8F SHA-1: 0xD7FD74DCD86073AA81B5F62617F43E06BDAF82A7	Virus.Win32.Sality.aa [Kaspersky Lab] W32/Sality.gen [McAfee] PE_SALITY.EK [Trend Micro] W32/Sality-AM [Sophos] Virus.Win32.Sality [Ikarus] Win32/Kashu.B [AhnLab]
3	%Temp%\tll1473.tmp\data.pck %Temp%\tll7E72.tmp\data.pck	11,448 bytes	MD5: 0x810261516945F6611547D7C67883A0CA SHA-1: 0x6C607C52277A7063ACD623D2EBF8F917C9420463	(not available)
4	%Temp%\tll1473.tmp\default.spk %Temp%\tll7E72.tmp\default.spk	112,418 bytes	MD5: 0xD234D4E66C8DF098A5DC3934CC0CC71B SHA-1: 0x3BFCCA74CF4CE1D30C900A2A46A8BE49A8E48911	(not available)
5	%Temp%\tll1473.tmp\English.lng %Temp%\tll7E72.tmp\English.lng	18,188 bytes	MD5: 0x5354DBA4DAB261ECBA05B7B3B2EE1D13 SHA-1: 0xB227EBACE8C2A02E50C5CDDBB5589928062A33F1	(not available)
6	%Temp%\tll1473.tmp\index.ini %Temp%\tll7E72.tmp\index.ini	87 bytes	MD5: 0xD28C566F8181AB515ED8066AE147E734 SHA-1: 0x8CB5FCFEA1A201FED1E9059D6CB74956E62E076C	(not available)
7	%Temp%\tll1473.tmp\Jp2lt.exe %Temp%\tll7E72.tmp\Jp2lt.exe	750,856 bytes	MD5: 0x478A298644C06E65FB355291287FFAE8 SHA-1: 0x66E6009118AB38CD87423F66F6E55A2A72CB3726	(not available)
8	%Temp%\tll1473.tmp\jp2lt.exe.manifest %Temp%\tll7E72.tmp\jp2lt.exe.manifest	378 bytes	MD5: 0x66E42D37DBEA320EA7FE1CAFF4447426 SHA-1: 0x9416348339F761A79B3D694AA65E7C7CA8D7DFD3	(not available)
9	%Temp%\tll1473.tmp\lite.chm %Temp%\tll7E72.tmp\lite.chm	40,432 bytes	MD5: 0x93465BDC3F4AB7161F3A927DDB1E345B SHA-1: 0xBC364025C22CFBC234672EF844BF85C169F86CD3	(not available)
10	%Temp%\tll1473.tmp\lite.lng %Temp%\tll7E72.tmp\lite.lng	917 bytes	MD5: 0xD6A6B435D0FAE8BEA7CF58F9E6556918 SHA-1: 0xB0C37E4C0B389E321274A29F2FF0E6C49CC26495	(not available)
11	%Temp%\tll1473.tmp\log.txt	8,071 bytes	MD5: 0x1CA657EABC97AEE040E120277760711B SHA-1: 0xD30F2AF760DECBBC38D627B0CB6388CB4B9B0C81	(not available)
12	%Temp%\tll1473.tmp\Media.dll %Temp%\tll7E72.tmp\Media.dll	177,416 bytes	MD5: 0x048265F947189A77B03029FC3AB90E84 SHA-1: 0x5C27D57B12972D2CF8BF2D83FA779F3B6B003EB4	(not available)
13	%Temp%\tll1473.tmp\Puzzles\1.pzl %Temp%\tll7E72.tmp\Puzzles\1.pzl	123,987 bytes	MD5: 0xA40AD2FF6D2D6BA30A8E9ACCD2797A6B SHA-1: 0x77A7C3DF62A70B8721BCE6606D9D48DA26F5910A	(not available)
14	%Temp%\tll7E72.tmp\log.txt	8,095 bytes	MD5: 0x4363755018A2C05D4FB2CADF0E6B8412 SHA-1: 0x8A9F6731033678C104B971A1BBB8E48E9ACB35CC	(not available)
15	%Temp%\ts1.tmp %Temp%\ts5.tmp %Temp%\ts8.tmp	19,756 bytes	MD5: 0x49F91B6C4AE1EE79EFA680978BDD9A19 SHA-1: 0xA6B3DCDF793C8E7D999E6F32EF9388E7B8DFAF77	(not available)
16	%Temp%\ts2.tmp %Temp%\ts6.tmp %Temp%\ts9.tmp	5,954 bytes	MD5: 0x1559E6FDBBC65A1B45C7F5F5D9CC2ECB SHA-1: 0x2E4D41746F1A9D5ABC4B5B35DD567FDCACB1D5BB	(not available)
17	%Temp%\ts3.tmp %Temp%\ts7.tmp %Temp%\tsA.tmp	47,590 bytes	MD5: 0x85F244EDE590DAACDA774C063B76D05A SHA-1: 0x8A08EA17D51A4EDC21835A7C09420DDB309F459F	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\00031473_Rar
%Temp%\tll1473.tmp
%AppData%\Tibo Software
%AppData%\Tibo Software\Jp2Lite
%AppData%\Tibo Software\Jp2Lite\Storage
%AppData%\Tibo Software\Jp2Lite\Storage\84be8166-61e8-4ada-b915-ae59ca3df3b9
%Temp%\00017E81_Rar
%Temp%\tll1473.tmp\Puzzles
%Temp%\tll7E72.tmp
%Temp%\tll7E72.tmp\Puzzles

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	122,880 bytes
Jp2lt.exe	%Temp%\tll1473.tmp\jp2lt.exe	1,429,504 bytes
jp2lt.exe	%Temp%\tll7E72.tmp\jp2lt.exe	1,429,504 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib]

vga.drv 640x480x32(BGR 0) = "31,31,31,31"

Other details

To mark the presence in the system, the following Mutex objects were created:

DirectSound DllMain mutex (0x00000434)
Op1mutx9
DirectSound DllMain mutex (0x000000D4)
DirectSound DllMain mutex (0x000003BC)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.