win32:sality virus
I was playing with a few softwares when my "avast antivirus" warned me of this "win32:sality virus".As usual i neglected it.This was a big mistake i made.Two hours later my antivirus declared VLC as virus, 4 hours later notepad was declared as virus and 24 hours later almost all exes were declared as virus. Many programs terminated abnormally.
I started searching net for information on this virus.When i got the following info about it:-
Characteristics
Type : Virus
Category : Win32
Also known as: W32.HLLP.Sality (Symantec)
Description
Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.
Method of Infection
When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code.
Some examples of the names used by the Sality DLL file as reported to CA from the wild include the following:
%System%\syslib32.dll
%System%\oledsp32.dll
%System%\olemdb32.dll
%System%\wcimgr32.dll
%System%\wmimgr32.dll
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system.
Method of Distribution
Via File Infection
Sality searches local drives C:\ to Y:\ for Windows PE executable files to infect. Some variants do....
not infect files with a file size below 4K bytes or above 20M bytes. The virus replaces code at the entry point of the executable with its own code, and appends an encrypted copy of itself to the host file, which increases the size of the infected program. When the file is executed the virus extracts and runs the appended code, and then runs the host program code to hide its presence.
Deletes files
Sality searches subdirectories on drives C:\ to Y:\ for files with the following extensions:
.vdb.avc
Files located are deleted. This is presumably to disable or impair certain AV products.
Terminates Processes
Sality searches for and terminates any processes which match a list contained in its code; the following is an example of such a list:
AVXQUAR
ICSUPP
ICSSUPPNT
ESCANH
AVLTMAIN
VSMAIN
TRJSCAN
PROTECTX
PORTDETECTIVE
PINGSCAN
PERISCOPE
NPFMESSENGER
MCAGENT
LOCKDOWN
DRWTSN32
DRWATSON
CLEANER
BLACKICE
BIPCP
BIDSERVER
BIDEF
AVPROTECT
AVGSERV
ATGUARD
AVSYNMGR
AUTOTRACE
SAVSCAN
RTVSCAN
NUPGRADE
NPROTECT
MGUI
MCUPDATE
NMAIN
ANTI
NOD32
ZONEALARM
OUTPOST
DRWEB
KAV
AVP
NAV
When a processes is terminated Sality displays an error message to indicate a fake error condition.
Changes Firewall Settings
Some Sality trojan components modify the Windows Firewall settings to add themselves as authorized applications. IT was with a name of "ipsec" in my case.This effectively allows these components to bypass the firewall.In my case my firewall was repeatedly turned off by the virus.
After reading it i realised that on how big trouble i have put myself into.I immediately tried my best to remove it:-
i)system restore:-didn't work soon it was also infected with the virus
ii)manually searched for possible dlls:-nothing was found
iii)tried sality remover from avg-no use (Still Try it)
iv)tried safe mode:-it didn't boot in safe mode
Finally i had to format my system. So if you get any indication that any software is infected with this virus do not install it.There is no way out once your system gets infected with it.So be careful.
Note:-This virus has a special property of hiding in disk partitons. So if you finally decide to format your pc then first delete all partitions and then recreate them during installation.
Posted on 8/16/2009 01:02:00 AM by ket@n and filed under
information,
viruses
| 0 Comments »
I started searching net for information on this virus.When i got the following info about it:-
Characteristics
Type : Virus
Category : Win32
Also known as: W32.HLLP.Sality (Symantec)
Description
Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.
Method of Infection
When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code.
Some examples of the names used by the Sality DLL file as reported to CA from the wild include the following:
%System%\syslib32.dll
%System%\oledsp32.dll
%System%\olemdb32.dll
%System%\wcimgr32.dll
%System%\wmimgr32.dll
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system.
Method of Distribution
Via File Infection
Sality searches local drives C:\ to Y:\ for Windows PE executable files to infect. Some variants do....
not infect files with a file size below 4K bytes or above 20M bytes. The virus replaces code at the entry point of the executable with its own code, and appends an encrypted copy of itself to the host file, which increases the size of the infected program. When the file is executed the virus extracts and runs the appended code, and then runs the host program code to hide its presence.
Deletes files
Sality searches subdirectories on drives C:\ to Y:\ for files with the following extensions:
.vdb.avc
Files located are deleted. This is presumably to disable or impair certain AV products.
Terminates Processes
Sality searches for and terminates any processes which match a list contained in its code; the following is an example of such a list:
AVXQUAR
ICSUPP
ICSSUPPNT
ESCANH
AVLTMAIN
VSMAIN
TRJSCAN
PROTECTX
PORTDETECTIVE
PINGSCAN
PERISCOPE
NPFMESSENGER
MCAGENT
LOCKDOWN
DRWTSN32
DRWATSON
CLEANER
BLACKICE
BIPCP
BIDSERVER
BIDEF
AVPROTECT
AVGSERV
ATGUARD
AVSYNMGR
AUTOTRACE
SAVSCAN
RTVSCAN
NUPGRADE
NPROTECT
MGUI
MCUPDATE
NMAIN
ANTI
NOD32
ZONEALARM
OUTPOST
DRWEB
KAV
AVP
NAV
When a processes is terminated Sality displays an error message to indicate a fake error condition.
Changes Firewall Settings
Some Sality trojan components modify the Windows Firewall settings to add themselves as authorized applications. IT was with a name of "ipsec" in my case.This effectively allows these components to bypass the firewall.In my case my firewall was repeatedly turned off by the virus.
After reading it i realised that on how big trouble i have put myself into.I immediately tried my best to remove it:-
i)system restore:-didn't work soon it was also infected with the virus
ii)manually searched for possible dlls:-nothing was found
iii)tried sality remover from avg-no use (Still Try it)
iv)tried safe mode:-it didn't boot in safe mode
Finally i had to format my system. So if you get any indication that any software is infected with this virus do not install it.There is no way out once your system gets infected with it.So be careful.
Note:-This virus has a special property of hiding in disk partitons. So if you finally decide to format your pc then first delete all partitions and then recreate them during installation.
0 comments:
Post a Comment