Virus.Win32.SALITY.RS

 Analysis by: Ricardo III Valdez

 ALIASES:

Virus:Win32/Sality.AT (MICROSOFT)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Virus

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It enables its automatic execution at every system startup by dropping copies of itself into the Windows Common Startup folder.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It accesses websites to download files. This action allows this malware to possibly add other malware on the affected computer.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

184,320 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

11 Nov 2022

Arrival Details

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Virus drops the following copies of itself into the affected system:

  • %AppDataLocal%\smss.exe
  • %AppDataLocal%\services.exe
  • %AppDataLocal%\lsass.exe
  • %AppDataLocal%\inetinfo.exe
  • %AppDataLocal%\csrss.exe
  • %AppDataLocal%\winlogon.exe
  • %System%\3D Animation.scr
  • %User Profile%\Templates\A.kotnorB.com
  • %Windows%\inf\norBtok.exe

It drops the following files:

  • %System%\drivers\{6 Random Characters}.sys
  • %User Temp%\win{5 Random Characters 1}.exe ← ntkrnlpa.exe copy
  • %User Temp%\win{5 Random Characters 2}.exe
  • %System Root%\(6 Random Characters}.pif
  • {All Available Drives}\autorun.inf
  • {All Available Drives}\{5 Random Characters}.exe
  • %AppDataLocal%\Kosong.Bron.Tok.txt
  • %AppDataLocal%\Bron.tok.A3.em.bin ← Deleted afterwards
  • %AppDataLocal%\Ok-SendMail-Bron-tok{email}.ini
  • %AppDataLocal%\NetMailTmp.bin
  • %AppDataLocal%\BronFoldNetDomList.txt ← Deleted afterwards
  • %AppDataLocal%\BronNetDomList.bat ← Deleted afterwards
  • %AppDataLocal%\BronNPath0.txt ← Deleted afterwards
  • %AppDataLocal%\Update.AN3A.Bron.Tok.exe ← Deleted afterwards
  • %AppDataLocal%\Update.AN3A.Bron.Tok.tempo.exe
  • %AppDataLocal%\Update.3.Bron.Tok.bin ← Deleted afterwards
  • %AppDataLocal%\BrontokInf.txt
  • %User Profile%\Pictures\about.Brontok.A.html
  • %AppDataLocal%\Loc.Mail.Bron.Tok\{email}.ini

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

  • %AppDataLocal%\Bron.tok-3-{Current Day}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • uxJLpe1m ← For the malware itself
  • {Process Name}M_{PID in Decimal} ← For all running processes

Autostart Technique

This Virus adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Tok-Cirrhatus = %AppDataLocal%\smss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Bron-Spizaetus = %Windows%\inf\norBtok.exe

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

  • %User Profile%\Programs\Startup\Empty.pif

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

The scheduled task executes the malware every:

  • 5:08 PM every day

Other System Modifications

This Virus deletes the following files:

  • %System%\drivers\{6 Random Characters}.sys
  • %User Temp%\win{5 Random Characters 1}.exe ← ntkrnlpa.exe copy
  • %User Temp%\win{5 Random Characters 2}.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following line(s)/entry(ies) in the SYSTEM.INI file:

  • [mci]
  • [MCIDRV_VER]
  • DEVICEMB={Random Decimal Numbers}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{Derived from User Name}\
2033412880
{Derived from the first 4 letters of the User Name} = {Decimal Value}

HKEY_CURRENT_USER\Software\{Derived from User Name}\
2033412880
{Derived from the first 4 letters of the User Name} = {Hex Values}

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableCMD = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = 1

(Note: The default value data of the said registry entry is 0.)

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Safeboot

File Infection

This Virus infects the following file types:

  • .exe
  • .scr

It avoids infecting the following files:

  • Protected System Files
  • Files in CD-ROM drives

Propagation

This Virus drops the following copy(ies) of itself in all removable drives:

  • {Removable Drive Letter}:\Data {username}.exe

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

Note: The order of autorun.inf strings may vary and may contain a combination of uppercase and lowercase letters
;{Garbage Characters}
[AutoRun]
;{Garbage Characters}
ShEll\OPeN\coMMaNd ={Random Characters}.{pif/exe}
;
Open={Random Characters}.{pif/exe}
;
shelL\ExPLorE\CommanNd={Random Characters}.{pif/exe}
shELl\Open\DefAUlT=1
;{Garbage Characters}
shell\aUToplay\CoMMANd ={Random Characters}.{pif/exe}

It appends the following strings to Simple Mail Transfer Protocol (SMTP) servers:

  • smtp.
  • mail.
  • ns1.

It gathers target email addresses from files with the following extensions:

  • .ASP
  • .CFM
  • .CSV
  • .DOC
  • .EML
  • .HTM
  • .HTML
  • .PHP
  • .TXT
  • .WAB

It avoids sending email messages to addresses containing the following strings:

  • ..
  • .@
  • .ASP
  • .EXE
  • .HTM
  • .ID
  • .JS
  • .PHP
  • .VBS
  • @.
  • @123
  • @ABC
  • @MAC
  • ADMIN
  • ADOBE
  • AHNLAB
  • ALADDIN
  • ALERT
  • ALERT
  • ALWIL
  • ANTIGEN
  • APACHE
  • ARCHIEVE
  • ASDF
  • ASSOCIATE
  • ASTAGA
  • AVAST
  • AVG
  • AVIRA
  • BILLING@
  • BLACK
  • BLAH
  • BLEEP
  • BOLEH
  • BROWSE
  • BUG
  • BUILDER
  • BUNTU
  • CANON
  • CILLIN
  • CISCO
  • CLICK
  • CNET
  • COMPUSE
  • COMPUTE
  • CONTOH
  • CRACK
  • DARK
  • DATABASE
  • DEMO
  • DEVELOP
  • DEVELOP
  • DOMAIN
  • DOWNLOAD
  • ELECTRO
  • ELEKTRO
  • EMAILKU
  • ESAFE
  • ESAVE
  • ESCAN
  • EXAMPLE
  • FEEDBACK
  • FOO@
  • FREE
  • FUCK
  • FUJI
  • FUJITSU
  • GATEWAY
  • GAUL
  • GOOGLE
  • GRISOFT
  • GROUP
  • HACK
  • HAURI
  • HIDDEN
  • HP.
  • IBM.
  • IEEE
  • INDO
  • INFO@
  • INFORMA
  • INTEL.
  • IPTEK
  • KDE
  • KOMPUTER
  • LAB
  • LINUX
  • LOOKSMART
  • LOTUS
  • LUCENT
  • MACRO
  • MASTER
  • MATH
  • MICRO
  • MICROSOFT
  • MOZILLA
  • MYSQL
  • NASA
  • NETSCAPE
  • NETWORK
  • NEWS
  • NOD32
  • NOKIA
  • NORMAN
  • NORTON
  • NOVELL
  • NVIDIA
  • OPERA
  • OVERTURE
  • PANDA
  • PLASA
  • POSTGRE
  • PROGRAM
  • PROLAND
  • PROMO
  • PROTECT
  • PROXY
  • RECIPIENT
  • REDHA
  • REGIST
  • RELAY
  • RESPONSE
  • ROBOT
  • SALES
  • SATU
  • SECUN
  • SECURE
  • SECURITY
  • SEKUR
  • SENIOR
  • SERVER
  • SERVICE
  • SIEMENS
  • SIERRA
  • SLACK
  • SMTP
  • SOFT
  • SOME
  • SOURCE
  • SPAM
  • SPERSKY
  • SPYW
  • STUDIO
  • SUN.
  • SUPPORT
  • SUSE
  • SYBARI
  • SYMANTEC
  • SYNDICAT
  • TELECOM
  • TELKOM
  • TEST
  • TRACK
  • TREND
  • TRUST
  • UPDATE
  • UPDATE
  • USERNAME
  • VAKSIN
  • VAKSIN
  • VIRUS
  • W3.
  • WWW
  • XANDROS
  • XEROX
  • XXX
  • YOUR
  • ZDNET
  • ZEND
  • ZOMBIE

Process Termination

This Virus terminates the following services if found on the affected system:

  • acssrv
  • Agnitum Client Security Service
  • ALG
  • Amon monitor
  • aswFsBlk
  • aswMon2
  • aswRdr
  • aswSP
  • aswTdi
  • aswUpdSv
  • AV Engine
  • avast! Antivirus
  • avast! Asynchronous Virus Monitor
  • avast! iAVS4 Control Service
  • avast! Mail Scanner
  • avast! Self Protection
  • avast! Web Scanner
  • AVG E-mail Scanner
  • Avira AntiVir Premium Guard
  • Avira AntiVir Premium MailGuard
  • Avira AntiVir Premium WebGuard
  • AVP
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • cmdAgent
  • cmdGuard
  • COMODO Firewall Pro Sandbox Driver
  • Eset HTTP Server
  • Eset Personal Firewall
  • Eset Service
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • Google Online Services
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KLIF
  • KPF4
  • LavasoftFirewall
  • LIVESVR
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MpsSvc
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SavRoam
  • SharedAccess
  • SmcService
  • SNDSrv
  • SPBBCSvc
  • SpIDer FS Monitor for Windows NT
  • SpIDer Guard File System Monitor
  • SPIDERNT
  • Symantec Antivirus
  • Symantec AntiVirus Definition Watcher
  • Symantec Core LC
  • Symantec Password Validation
  • Tmntsrv
  • TmPfw
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • wscsvc
  • XCOMM

It terminates the following processes if found running in the affected system's memory:

  • .dCFIAUDIT.
  • A2CMD.
  • A2FREE
  • A2GUARD
  • A2SERVICE.
  • ADVCHK.
  • AGB.
  • AHPROCMONSERVER.
  • AIRDEFENSE
  • AKRNL.
  • ALERTSVC
  • AMON.
  • ANTIVIR
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWSCAN
  • ASWUPDSV.
  • AVAST
  • AVAST
  • AVCENTER
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVESVC.
  • AVEVAL.
  • AVEVL32.
  • AVGAM
  • AVGCC.AVGCHSVX.
  • AVGCC32.
  • AVGCSRVX.
  • AVGCTRL.
  • AVGEMC.
  • AVGFWSRV.
  • AVGNSX.
  • AVGNT.
  • AVGNTMGR
  • AVGSERV.
  • AVGTRAY.
  • AVGUARD.
  • AVGUPSVC.
  • AVGWDSVC.
  • AVINITNT.
  • AVIRA
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVPM.
  • AVSCHED32.
  • AVSERVER.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR
  • AVXQUAR.
  • AVZ.
  • BDSWITCH.
  • BITDEFENDER
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • CCEVTMGR.
  • CCSETMGR.
  • CFP.
  • CFPCONFIG.
  • CLAMTRAY.
  • CLAMWIN.
  • CUREIT
  • DEFENDERDAEMON
  • DEFWATCH.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB
  • DWEBIO
  • DWEBLLIO
  • EKRN.
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FILEMON
  • FIREWALL
  • FORTICLIENT
  • FORTISCAN
  • FORTITRAY.
  • FPAVSERVER.
  • FPROTTRAY.
  • FPWIN.
  • FRESHCLAM.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • F-SCHED.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWARE
  • GUARDGUI.
  • GUARDNT.
  • GUARDXKICKOFF.
  • GUARDXSERVICE.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • IPTRAY.
  • ISAFE.
  • ISATRAY.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • MAMUTU
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTOS.
  • NTRTSCAN.
  • NTXCONFIG.
  • NUPGRADE.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • ONLINENT.
  • OP_MON.
  • OPSSVC.
  • OUTPOST
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PESTPATROL
  • PNMSRV.
  • PREVSRV.
  • PREVX
  • PSIMSVC.
  • QHONLINE.
  • QHONSVC.
  • QHSET.
  • QHWSCSVC.
  • QUHLPSVC.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • SALITY
  • SAPISSVC.
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCANNINGPROCESS.
  • SCANWSCS.
  • SDHELP.
  • SDRA64.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERCPL.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • SYMWSC.
  • SYNMGR.
  • TAUMON.
  • TBMON.
  • TMLISTEN.
  • TMNTSRV.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • TROJAN.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCRMON.
  • VPTRAY.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBSCANX.
  • WINSSNOTIFY.
  • WRCTRL.
  • XCOMMSVR.
  • ZLCLIENT
  • ZONEALARM

Download Routine

This Virus accesses websites to download the following files:

  • http://pelcpawel.fm.{BLOCKED}a.pl/logos.gif
  • http://{BLOCKED}tara.com/logof.gif
  • http://{BLOCKED}lie.com/images/logos.gif
  • http://{BLOCKED}nt-eg.com/images/logosa.gif
  • http://www.{BLOCKED}ogullari.com/logof.gif
  • http://www.{BLOCKED}becreatives.com/logos.gif
  • http://{BLOCKED}metgrup.com/images/logosa.gif
  • http://{BLOCKED}uncil.ya.funpic.de/images/logos.gif
  • http://{BLOCKED}asa.com/images/logos.gif
  • http://{BLOCKED}..19.14/logo.gif
  • http://{BLOCKED}ies.com/jowobot123/BrontokInf.txt

Other Details

This Virus adds and runs the following services:

asmint32
ImagePath = %System%\drivers\{6 Random Characters}.sys

IpFilterDriver
ImagePath = %System%\drivers\ipfltdrv.sys

It does the following:

  • It restarts the system if the following strings are present in an existing window:
    • .EXE
    • BLEEPING
    • CLEANER
    • COMMAND PROMPT
    • FAJARWEB
    • GROUP POLICY
    • HIJACK
    • KILLBOX
    • LOG OFF WINDOWS
    • MOVZX
    • PROCESS EXP
    • REGISTRY
    • REMOVER
    • SCRIPT HOST
    • SHUTDOWN
    • SYSINTERNAL
    • SYSTEM CONFIGURATION
    • TASK KILL
    • TASKKILL
  • It distributes itself via email with the following file name:
    • winword.exe
    • kangen.exe
    • ccapps.exe
  • It may spoof the "From" field with the following email addresses:
    • Berita_{email}@kafegaul.com
    • GaulNews_{email}@kafegaul.com
    • Movie_{email}@pornstargals.com
    • HotNews_{email}@pornstargals.com

However, as of this writing, the said sites are inaccessible.

It terminates itself if windows or classes contain any of the following string(s):

  • .EXE
  • BLEEPING
  • CLEANER
  • COMMAND PROMPT
  • FAJARWEB
  • GROUP POLICY
  • HIJACK
  • KILLBOX
  • LOG OFF WINDOWS
  • MOVZX
  • PROCESS EXP
  • REGISTRY
  • REMOVER
  • SCRIPT HOST
  • SHUTDOWN
  • SYSINTERNAL
  • SYSTEM CONFIGURATION
  • TASK KILL
  • TASKKILL

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

17.956.02

FIRST VSAPI PATTERN DATE:

24 Nov 2022

VSAPI OPR PATTERN File:

17.957.00

VSAPI OPR PATTERN Date:

25 Nov 2022

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Deleting Scheduled Tasks while in Safe Mode

  1. Still in safe mode, the following {Task Name}-{Task to be run} listed should be used in the steps identified below: DATA_GENERIC
  2. For Windows 7 and Server 2008 (R2) users, click Start>Computer.
    • For Windows 8, 8.1, 10, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
  3. In the Search Computer/This PC input box, type:
    • %System%\Tasks\{Task Name}
  4. Once located, select the file then press SHIFT+DELETE to delete it.
  5. Open Registry Editor. To do this:
    • For Windows 7 and Server 2008 (R2) users, click the Start button, type regedit in the Search input field, and press Enter.
    • For Windows 8, 8.1, 10, and Server 2012 (R2) users, right-click on the lower left corner of the screen, click Run, type regedit in the text box
  6. In the left panel of the Registry Editor window, double-click the following:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tree>{Task Name}
  7. Locate the created entry and take note of the registry value's data:
    • ID={Task Data}
  8. After taking note of the data, delete the registry key:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tree>{Task Name}
  9. In the left panel of the Registry Editor window, double-click the following:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tasks
  10. Still in the left panel, locate and delete the registry key with the same name as the located Task Data in step #6:
    • ={Task Data}
  11. Close Registry Editor.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\{Derived from User Name}\2033412880
    • {Derived from the first 4 letters of the User Name} = {Decimal Value}
  • In HKEY_CURRENT_USER\Software\{Derived from User Name}\2033412880
    • {Derived from the first 4 letters of the User Name} = {Hex Values}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Tok-Cirrhatus = %AppDataLocal%\smss.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Bron-Spizaetus = %Windows%\inf\norBtok.exe

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

    • HKEY_CURRENT_USER\Software\{Derived from User Name}\2033412880

Step 6

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • AntiVirusOverride = 1
    • AntiVirusDisableNotify = 1
    • FirewallDisableNotify = 1
    • FirewallOverride = 1
    • UpdatesDisableNotify = 1
    • UacDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • AntiVirusOverride = 1
    • AntiVirusDisableNotify = 1
    • FirewallDisableNotify = 1
    • FirewallOverride = 1
    • UpdatesDisableNotify = 1
    • UacDisableNotify = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • GlobalUserOffline = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • EnableLUA = 0
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • EnableFirewall = 0
    • DoNotAllowExceptions = 0
    • DisableNotifications = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • DisableCMD = 0
    • DisableRegistryTools = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • NoFolderOptions = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • Hidden = 2
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
    • Safeboot

Step 7

Disable this malware service

[ Learn More ]
  • asmint32

Step 8

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %AppDataLocal%\smss.exe
  • %AppDataLocal%\services.exe
  • %AppDataLocal%\lsass.exe
  • %AppDataLocal%\inetinfo.exe
  • %AppDataLocal%\csrss.exe
  • %AppDataLocal%\winlogon.exe
  • %System%\3D Animation.scr
  • %User Profile%\Templates\A.kotnorB.com
  • %Windows%\inf\norBtok.exe
  • %User Profile%\Programs\Startup\Empty.pif
  • %System%\drivers\{6 Random Characters}.sys
  • %User Temp%\win{5 Random Characters 1}.exe
  • %User Temp%\win{5 Random Characters 2}.exe
  • %System Root%\(6 Random Characters}.pif
  • {All Available Drives}\autorun.inf
  • {All Available Drives}\{5 Random Characters}.exe
  • %AppDataLocal%\Kosong.Bron.Tok.txt
  • %AppDataLocal%\Bron.tok.A3.em.bin
  • %AppDataLocal%\Ok-SendMail-Bron-tok{email}.ini
  • %AppDataLocal%\NetMailTmp.bin
  • %AppDataLocal%\BronFoldNetDomList.txt
  • %AppDataLocal%\BronNetDomList.bat
  • %AppDataLocal%\BronNPath0.txt
  • %AppDataLocal%\Update.AN3A.Bron.Tok.exe
  • %AppDataLocal%\Update.AN3A.Bron.Tok.tempo.exe
  • %AppDataLocal%\Update.3.Bron.Tok.bin
  • %AppDataLocal%\BrontokInf.txt
  • %User Profile%\Pictures\about.Brontok.A.html
  • %AppDataLocal%\Loc.Mail.Bron.Tok\{email}.ini
  • {Removable Drive Letter}:\Data {Username}.exe

Step 9

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %AppDataLocal%\Bron.tok-3-{Current Day}

Step 10

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Virus.Win32.SALITY.RS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.