ThreatExpert Report: W32.Imaut!gen1, Virus.Win32.Sality.aa, W32/Sality.gen.z, PE

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 4 July 2012, 05:31:24
Processing time: 12 min 10 sec
Submitted sample:

File MD5: 0xFDD6626823A6BD9F65C041D13277439B
File SHA-1: 0x36944B44B689F5369D5C1198D4A8BEA04EC3EF19
Filesize: 392,477 bytes
Alias:

W32.Imaut!gen1 [Symantec]
Virus.Win32.Sality.aa [Kaspersky Lab]
W32/Sality.gen.z [McAfee]
PE_SALITY.EN [Trend Micro]
W32/Sality-AM [Sophos]
Virus.Win32.Sality [Ikarus]
Win32/Kashu.B [AhnLab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\Autorun.inf	280 bytes	MD5: 0xBA9FA2FF95CF51C5E241551ED3EEF925 SHA-1: 0xE3025F0A039F861DD04101AAE9C120F85FE3A707	Mal/AutoInf-B [Sophos]
2	%CommonAppData%\Exe_Debuger.ini	790 bytes	MD5: 0x65CCA9EF55459EEDB32B383DE8A906A0 SHA-1: 0xEC807040B066FE3E5FC0A5519D5EA5B1A68F7739	(not available)
3	%CommonAppData%\windows-update.exe	2,487 bytes	MD5: 0xD7A3E304F50809E07C07ADB839D3D44E SHA-1: 0x0A158CBBCF5FE0405DA767CD9DADA3420B07B692	(not available)
4	c:\ntldr.exe %System%\iexplorer.exe [file and pathname of the sample #1] %Windir%\win-update.exe	392,477 bytes	MD5: 0xFDD6626823A6BD9F65C041D13277439B SHA-1: 0x36944B44B689F5369D5C1198D4A8BEA04EC3EF19	W32.Imaut!gen1 [Symantec] Virus.Win32.Sality.aa [Kaspersky Lab] W32/Sality.gen.z [McAfee] PE_SALITY.EN [Trend Micro] W32/Sality-AM [Sophos] Virus.Win32.Sality [Ikarus] Win32/Kashu.B [AhnLab]
5	%Windir%\Tasks\At1.job	352 bytes	MD5: 0x0A555D5449C1B1A54F1A6CC3D49DBF91 SHA-1: 0xA9B901B118354FB6D8B75947DEDF961289287013	(not available)
6	%Windir%\Tasks\At2.job	352 bytes	MD5: 0x6E7CFF8F54CA035B8B1AF1BE695E1C8E SHA-1: 0x4CBBAED014140657F37A51980B8CE719BC49A0BC	(not available)

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following files were modified:

%Windir%\system.ini
%System%\cmd.exe
%System%\mmc.exe
%System%\ntvdm.exe
%System%\taskmgr.exe

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	839,680 bytes
iexplorer.exe	%System%\iexplorer.exe	839,680 bytes
win-update.exe	%Windir%\win-update.exe	839,680 bytes
ntldr.exe	c:\ntldr.exe	839,680 bytes

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\Software\%UserName%914
HKEY_CURRENT_USER\Software\%UserName%914\-72398023
HKEY_CURRENT_USER\Software\Yahoo
HKEY_CURRENT_USER\Software\Yahoo\pager
HKEY_CURRENT_USER\Software\Yahoo\pager\View
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

Notes:

%UserName% is a variable that refers to the current user name.

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

EnableLUA = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

NoDriveTypeAutoRun = 0x00000000
NoFolderOptions = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Iexplorer = "%System%\iexplorer.exe"

so that iexplorer.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

debugger = "%System%\iexplorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

DisableConfig = 0x00000001
DisableSR = 0x00000001

to disable System Restore Settings link in the System Restore interface

to disable the System Restore tools on the Start menu

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Window Title = "Allahou Akbar"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoFind = 0x00000001
NoRun = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]

DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001

to prevent users from starting Task Manager (Taskmgr.exe)

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Win-Update = "%Windir%\win-update.exe"

so that win-update.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\%UserName%914\-72398023]

1919251285 = 0x00000001
-456464726 = 0x00000000
1462786559 = 0x00000000
-912929452 = 0x0000001E
1006321833 = 0x0000008F
-1369394178 = "0400687474703A2F2F38392E3131392E36372E3135342F746573746F352F00687474703A2F2F6B756B7574727573746E65743737372E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743838382E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743
549857107 = "7439D18CF99ADB97C70A1EA4EA1DDEB3A46AF9AF9995ACD22104A39789171EB3633818AD029260106FF7F47FE0DE6244028206B85FFFAD226E9742031F5914A424C8AAD11CCC09A683D5C288F7B6E1F47648BB6509895D8CEFEAA4FC96A6440B61FA7545CEB6A4B60F5D6273763CD021B75224603D4E837AD74FFC1C9

[HKEY_CURRENT_USER\Software\%UserName%914]

U1_0 = 0x4E263E69
U2_0 = 0x0000158D
U3_0 = 0x01036641
U4_0 = 0x00000000

[HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast]

content url = "http://www.islamweb.net/"

[HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz]

content url = "http://www.islamweb.net/"

The following Registry Values were deleted:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]

(Default) = "Service"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

United Kingdom

The following ports were open in the system:

Port	Protocol	Process
1052	UDP	[file and pathname of the sample #1]
1058	UDP	win-update.exe (%Windir%\win-update.exe)
1059	UDP	iexplorer.exe (%System%\iexplorer.exe)
1063	TCP	win-update.exe (%Windir%\win-update.exe)
1064	TCP	iexplorer.exe (%System%\iexplorer.exe)
1065	UDP	win-update.exe (%Windir%\win-update.exe)
1066	UDP	iexplorer.exe (%System%\iexplorer.exe)
1069	UDP	ntldr.exe (c:\ntldr.exe)
1072	TCP	iexplorer.exe (%System%\iexplorer.exe)
1073	TCP	win-update.exe (%Windir%\win-update.exe)
1074	TCP	ntldr.exe (c:\ntldr.exe)
5703	UDP	[file and pathname of the sample #1]

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
208.91.196.252	80
208.91.197.27	80

The data identified by the following URLs was then requested from the remote web server:

http://pagesinxt.com/?dn=h1.ripway.com&flrdr=yes&nxte=jpg
http://h1.ripway.com/up/apps/Exe_Debuger.ini
http://h1.ripway.com/up/apps/regedit.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.