Mobile Version Subscribe to Virus Experts – We Make Your Digital Life Secured RSS FeedSubscribe to Virus Experts – We Make Your Digital Life SecuredComments FEED

Browse > Home / Security News / New Sality Virus In Sight ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah )

New Sality Virus In Sight ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah )

April 22, 2009 by admin  
Filed under Security News


1,983 views   2 Comments

Share

Symantec

W32.Sality.AM

Risk Level 2: Low

Discovered: April 18, 2009
Updated: April 19, 2009 10:49:10 AM
Type: Virus
Infection Length: 69,632 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Sality.AM is a worm that spreads by infecting executable files and copying itself to removable drives.

Protection

  • Initial Rapid Release version April 18, 2009 revision 020
  • Latest Rapid Release version April 18, 2009 revision 066
  • Initial Daily Certified version April 18, 2009 revision 022
  • Latest Daily Certified version April 19, 2009 revision 005
  • Initial Weekly Certified release date April 22, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 – 49
  • Number of Sites: 0 – 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: High
  • Payload: Downloads additional files onto the computer.
  • Deletes Files: Deletes files with .vdb, .avc and .key in the filename and also files listed under certain registry subkeys.
  • Modifies Files: Infects executable files.
  • Compromises Security Settings: Ends processes and lowers security settings by modifying the registry.

Distribution

  • Distribution Level: Medium
  • Shared Drives: Attempts to infect files on network resources and copies itself to removable drives.
  • Target of Infection: Infects executable files.
Writeup By: Piotr Krysiuk and Kaoru Hayashi

Sophos

W32/Sality-AM

Aliases
  • Win32/Sality.gen
  • W32/Sality.dll
  • New Win32.s
Category
Type
What to do
Prevalence low high
How it spreads
  • Infected files
Affected operating systems Windows
Protection available since 15 January 2008 07:26:45 (GMT)
Last updated 23 March 2009 19:04:30 (GMT)
Detected by All Sophos products

Virus files from infected USB flash drive

salityusbf

1- autorun.inf

2- oolp.cmd

3- psgxmt

We uploaded oolp.cmd to virus total and we got this report :

File oolp.cmd received on 04.22.2009 10:38:28 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.22 Virus.Win32.Sality!IK
AhnLab-V3 5.0.0.2 2009.04.22 Win32/Kashu.B
AntiVir 7.9.0.148 2009.04.22 W32/Sality.Y
Antiy-AVL 2.0.3.1 2009.04.22 -
Authentium 5.1.2.4 2009.04.22 W32/Sality.AK
Avast 4.8.1335.0 2009.04.21 Win32:Sality
AVG 8.5.0.287 2009.04.21 Win32/Heur
BitDefender 7.2 2009.04.22 Win32.Sality.OG
CAT-QuickHeal 10.00 2009.04.22 W32.Sality.T
ClamAV 0.94.1 2009.04.22 -
Comodo 1124 2009.04.21 -
DrWeb 4.44.0.09170 2009.04.22 Win32.Sector.5
eSafe 7.0.17.0 2009.04.21 Suspicious File
eTrust-Vet 31.6.6440 2009.04.20 Win32/Sality.AA
F-Prot 4.4.4.56 2009.04.21 W32/Sality.AK
F-Secure 8.0.14470.0 2009.04.22 Virus.Win32.Sality.aa
Fortinet 3.117.0.0 2009.04.22 W32/Sality.AA
GData 19 2009.04.22 Win32.Sality.OG
Ikarus T3.1.1.49.0 2009.04.22 Virus.Win32.Sality
K7AntiVirus 7.10.710 2009.04.21 Virus.Win32.Sality.AA
Kaspersky 7.0.0.125 2009.04.22 Virus.Win32.Sality.aa
McAfee 5591 2009.04.21 W32/Sality.gen
McAfee+Artemis 5591 2009.04.21 W32/Sality.gen
McAfee-GW-Edition 6.7.6 2009.04.22 Win32.Sality.Y
Microsoft 1.4602 2009.04.22 Virus:Win32/Sality.AM
NOD32 4026 2009.04.21 Win32/Sality.NAR
Norman 6.00.06 2009.04.21 W32/Sality.AN
nProtect 2009.1.8.0 2009.04.22 -
Panda 10.0.0.14 2009.04.21 W32/Sality.AK
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.22 -
Rising 21.26.21.00 2009.04.22 Win32.KUKU.GEN
Sophos 4.40.0 2009.04.22 W32/Sality-AM
Sunbelt 3.2.1858.2 2009.04.21 Virus.Win32.Sality.ah.dam (v)
Symantec 1.4.4.12 2009.04.22 W32.Sality.AE
TheHacker 6.3.4.0.312 2009.04.22 W32/Sality.gen
TrendMicro 8.700.0.1004 2009.04.22 PE_SALITY.EN-O
VBA32 3.12.10.2 2009.04.21 Virus.Win32.Sality.kaka
ViRobot 2009.4.22.1703 2009.04.22 Win32.Sality.K
VirusBuster 4.6.5.0 2009.04.21 Win32.Sality.AP.Gen
Additional information
File size: 171519 bytes
MD5…: 7523aebcc2d283993031fbbc68eca8c0
SHA1..: 0eb6089d1f481eab6c18d5197fe6ce953e433568
SHA256: 84c4e6578b48d0df8a9f3aab11864da2357eedf48eb91a4da34add93ca0ef9c3
SHA512: 143cb2e719d086b725f969d5c17fa710d07365147aee8cf4a6b6707f65306ff9
69e0613f77e314ff45f1a6de8fb85a38c26bdd3b06519fc7f5c7f2de40c08b49
ssdeep: 3072:TNQKPWDyLRegJltZrpRZ713gHWLhc+/kDLtYC:TNSDyLRxthpJg8hc+MLV
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×739d
timedatestamp…..: 0×41107cc3 (Wed Aug 04 06:05:55 2004)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×7748 0×7800 6.29 5a7294a27f5cfe4aa6ace327ee0bff40
.data 0×9000 0×1ba8 0×800 1.15 3fd82fcc3cf0c0692e0e466248ee3fbf
.rsrc 0xb000 0×88b0 0×8a00 5.70 79963755f6940d88aa12f7d61cef6568
.hdata 0×14000 0×11000 0×11000 7.99 43c76540d6dc9ef844fb080f4c6a669c

( 9 imports )
> comdlg32.dll: PageSetupDlgW, FindTextW, PrintDlgExW, ChooseFontW, GetFileTitleW, GetOpenFileNameW, ReplaceTextW, CommDlgExtendedError, GetSaveFileNameW
> SHELL32.dll: DragFinish, DragQueryFileW, DragAcceptFiles, ShellAboutW
> WINSPOOL.DRV: GetPrinterDriverW, ClosePrinter, OpenPrinterW
> COMCTL32.dll: CreateStatusWindowW
> msvcrt.dll: _XcptFilter, _exit, _c_exit, time, localtime, _cexit, iswctype, _except_handler3, _wtol, wcsncmp, _snwprintf, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcsncpy
> ADVAPI32.dll: RegQueryValueExW, RegCloseKey, RegCreateKeyW, IsTextUnicode, RegQueryValueExA, RegOpenKeyExA, RegSetValueExW
> KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetLocalTime, GetUserDefaultLCID, GetDateFormatW, GetTimeFormatW, GlobalLock, GlobalUnlock, GetFileInformationByHandle, CreateFileMappingW, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, LoadLibraryA, GetModuleHandleA, GetStartupInfoA, GlobalFree, GetLocaleInfoW, LocalFree, LocalAlloc, lstrlenW, LocalUnlock, CompareStringW, LocalLock, FoldStringW, CloseHandle, lstrcpyW, ReadFile, CreateFileW, lstrcmpiW, GetCurrentProcessId, GetProcAddress, GetCommandLineW, lstrcatW, FindClose, FindFirstFileW, GetFileAttributesW, lstrcmpW, MulDiv, lstrcpynW, LocalSize, GetLastError, WriteFile, SetLastError, WideCharToMultiByte, LocalReAlloc, FormatMessageW, GetUserDefaultUILanguage, SetEndOfFile, DeleteFileW, GetACP, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, UnhandledExceptionFilter
> GDI32.dll: EndPage, AbortDoc, EndDoc, DeleteDC, StartPage, GetTextExtentPoint32W, CreateDCW, SetAbortProc, GetTextFaceW, TextOutW, StartDocW, EnumFontsW, GetStockObject, GetObjectW, GetDeviceCaps, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SetBkMode, LPtoDP, SetWindowExtEx, SetViewportExtEx, SetMapMode, SelectObject
> USER32.dll: GetClientRect, SetCursor, ReleaseDC, GetDC, DialogBoxParamW, SetActiveWindow, GetKeyboardLayout, DefWindowProcW, DestroyWindow, MessageBeep, ShowWindow, GetForegroundWindow, IsIconic, GetWindowPlacement, CharUpperW, LoadStringW, LoadAcceleratorsW, GetSystemMenu, RegisterClassExW, LoadImageW, LoadCursorW, SetWindowPlacement, CreateWindowExW, GetDesktopWindow, GetFocus, LoadIconW, SetWindowTextW, PostQuitMessage, RegisterWindowMessageW, UpdateWindow, SetScrollPos, CharLowerW, PeekMessageW, EnableWindow, DrawTextExW, CreateDialogParamW, GetWindowTextW, GetSystemMetrics, MoveWindow, InvalidateRect, WinHelpW, GetDlgCtrlID, ChildWindowFromPoint, ScreenToClient, GetCursorPos, SendDlgItemMessageW, SendMessageW, CharNextW, CheckMenuItem, CloseClipboard, IsClipboardFormatAvailable, OpenClipboard, GetMenuState, EnableMenuItem, GetSubMenu, GetMenu, MessageBoxW, SetWindowLongW, GetWindowLongW, GetDlgItem, SetFocus, SetDlgItemTextW, wsprintfW, GetDlgItemTextW, EndDialog, GetParent, UnhookWinEvent, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, IsDialogMessageW, PostMessageW, GetMessageW, SetWinEventHook

( 0 exports )
PDFiD.: -
RDS…: NSRL Reference Data Set
-


Related posts:

  1. How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah
  2. How To Remove and fix Virus.Win32.Sality Win32/Sality.ah Win32/Sality.ag with Kaspersky Tools
  3. Fix .exe extension for ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah ) infected PC
  4. How To Remove Win32/Mabezat, Win32/Mabezat.A, Win32/Mabezat.B, Worm.Win32.Mabezat.b
  5. JS.Twettir The New Twitter Worm (Virus)

Tags: , , , , , , , , ,

Comments

2 Responses to “New Sality Virus In Sight ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah )”
  1. yayat says:
    2009/04/28 at 12:18 pm

    how to download that vaksin??

  2. admin says:
    2009/04/28 at 3:36 pm

    to protect your self from sality virus you should have an updated antivirus but if you are infected we will put the solution for removing the virus soon..

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!