PE_SALITY.ENO
Windows
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
TECHNICAL DETAILS
237,568 bytes
EXE
10 Apr 2015
Installation
This file infector drops the following copies of itself into the affected system:
- %Windows%\dc.exe
- %Windows%\SVIQ.exe
- %Windows%\Help\Other.exe
- %Windows%\system\Fun.exe
- %Windows%\inf\Other.exe
- %System%\WinSit.exe
- %System%\config\Win.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It drops the following file(s)/component(s):
- %System%\inf\svchost.exe
- %Windows%\INETINFO.exe
- %Windows%\wininit.ini
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It creates the following folders:
- %System%\inf
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This file infector adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Fun = "%Windows%\system\Fun.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
dc = "%Windows%\dc.exe"
Other System Modifications
This file infector adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\inf\svchost.exe = "%System%\inf\svchost.exe:Enabledxpsp2res.dll,-22001"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Desktop%\{malware filename}.exe = "%Desktop%\{malware filename}.exe:Enabled:ipsec"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\eventchk
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\eventchk
ImagePath = "%System%\inf\svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\eventchk
DisplayName = "Windows Event Check"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"
It adds the following registry keys as part of its installation routine:
HKLM\SYSTEM\ControlSet001\
Services\eventchk
HKCU\Software\{OS Version}{Random Number}
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
(Note: The default value data of the said registry entry is "0".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = "1"
(Note: The default value data of the said registry entry is "0".)
Propagation
This file infector drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
Other Details
This file infector connects to the following possibly malicious URL:
- http://mattfoll.eu.{BLOCKED}a.pl/logos.gif?2824ea=15785340
- http://mattfoll.eu.{BLOCKED}owo.pl/logos.gif?2824ea=15785340
- http://macedonia.{BLOCKED}1.ru/logoh.gif?283eea=10550184
- http://sosite_averi_{BLOCKED}ee.hahah?284b8d=18485467
NOTES:
This malware infects files.