PE_SALITY.RL-O
Virus:Win32/Sality.AT(Microsoft),Worm.Win32.WBNA.mjv(Kaspersky),W32.Pilleuz(Norton)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This file infector drops the following files:
- %Windows%\drivers\{random file name}.sys - detected as RTKT_SALITY.RL
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It drops the following copies of itself into the affected system:
- %Windows%\winlogon.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This file infector adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
winlogon.exe = "%Windows%\winlogon.exe"
It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Type = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Start = "3"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
DisplayName = "amsint32"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
ImagePath = "\??\%Windows%\drivers\{random file name}.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32\Enum
0 = "Root\LEGACY_AMSINT32\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32\Enum
Count = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32\Enum
NextInstance = "1"
It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Other System Modifications
This file infector adds the following registry keys:
HKEY_CURRENT_USER\Software\Afukx
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"
HKEY_CURRENT_USER\Software\Afukx
w{number}_{number} = "{hex value}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = "1"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"
(Note: The default value data of the said registry entry is 0.)
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
(Note: The default value data of the said registry entry is 1.)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware file name} = "{malware path}\{malware file name}:*:Enabled:ipsec"
File Infection
This file infector infects the following file types:
- .EXE
- .SCR
Propagation
This file infector drops copies of itself into all the removable drives connected to an affected system.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
Note: The order of autorun.inf strings may vary and may contain a combination of uppercase and lowercase letters.
;{garbage characters}
[AutoRun]
;{garbage characters}
shell\explore\command = {random}.{exe/pif}
;{garbage characters}
open = {random file name}.exe
;{garbage characters}
shell\open\command = {random}.{exe/pif}
shell\open\default = 1
;{garbage characters}
shell\autoplay\command = {random}.{exe/pif}
;{garbage characters}
Process Termination
This file infector terminates processes or services that contain any of the following strings if found running in the affected system's memory:
- NPROTECT.
- NSCHED32.
- NSMDTR.
- NSSSERV.
- NSSTRAY.
- NTRTSCAN.
- NTOS.
- NTXCONFIG.
- NUPGRADE.
- NVCOD.
- NVCTE.
- NVCUT.
- NWSERVICE.
- OFCPFWSVC.
- OUTPOST.
- ONLINENT.
- OPSSVC.
- OP_MON.
- PAVFIRES.
- PAVFNSVR.
- PAVKRE.
- PAVPROT.
- PAVPROXY.
- PAVPRSRV.
- PAVSRV51.
- PAVSS.
- PCCGUIDE.
- PCCIOMON.
- PCCNTMON.
- PCCPFW.
- PCCTLCOM.
- PCTAV.
- PERSFW.
- PERTSK.
- PERVAC.
- PESTPATROL.
- PNMSRV.
- PREVSRV.
- PREVX.
- PSIMSVC.
- QUHLPSVC.
- QHONLINE.
- QHONSVC.
- QHWSCSVC.
- QHSET.
- RFWMAIN.
- RTVSCAN.
- RTVSCN95.
- SALITY.
- SAPISSVC.
- SCANWSCS.
- SAVADMINSERVICE.
- SAVMAIN.
- SAVPROGRESS.
- SAVSCAN.
- SCANNINGPROCESS.
- SDRA64.
- SDHELP.
- SHSTAT.
- ADVCHK.
- AGB.
- AKRNL.
- AHPROCMONSERVER.
- AIRDEFENSE.
- ALERTSVC.
- AVIRA.
- AMON.
- TROJAN.
- AVZ.
- ANTIVIR.
- APVXDWIN.
- ARMOR2NET.
- ASHAVAST.
- ASHDISP.
- ASHENHCD.
- ASHMAISV.
- ASHPOPWZ.
- ASHSERV.
- ASHSIMPL.
- ASHSKPCK.
- ASHWEBSV.
- ASWUPDSV.
- ASWSCAN.
- AVCIMAN.
- AVCONSOL.
- AVENGINE.
- AVESVC.
- AVEVAL.
- AVEVL32.
- AVGAM.
- AVGCC.
- AVGCHSVX.
- AVGCSRVX.
- AVGNSX.
- AVGCC32.
- AVGCTRL.
- AVCENTER.
- AVGNTMGR.
- AVGSERV.
- AVGTRAY.
- AVGUARD.
- AVGUPSVC.
- AVGWDSVC.
- AVINITNT.
- AVKSERV.
- AVKSERVICE.
- AVKWCTL.
- AVP.
- AVP32.
- AVPCC.
- AVAST.
- AVSERVER.
- AVSCHED32.
- AVSYNMGR.
- AVWUPD32.
- AVWUPSRV.
- AVXMONITOR.
- AVXQUAR.
- BDSWITCH.
- BLACKD.
- BLACKICE.
- CAFIX.
- BITDEFENDER.
- CCEVTMGR.
- CFP.
- CFPCONFIG.
- CCSETMGR.
- CFIAUDIT.
- CLAMTRAY.
- CLAMWIN.
- CUREIT.
- DEFWATCH.
- DRVIRUS.
- DRWADINS.
- DRWEB.
- DEFENDERDAEMON.
- DWEBLLIO.
- DWEBIO.
- ESCANH95.
- ESCANHNT.
- EWIDOCTRL.
- EZANTIVIRUSREGISTRATIONCHECK.
- F-AGNT95.
- FAMEH32.
- FILEMON.
- FIREWALL.
- FORTICLIENT.
- FORTITRAY.
- FORTISCAN.
- FPAVSERVER.
- FPROTTRAY.
- FPWIN.
- FRESHCLAM.
- EKRN.
- FSAV32.
- FSAVGUI.
- FSBWSYS.
- F-SCHED.
- FSDFWD.
- FSGK32.
- FSGK32ST.
- FSGUIEXE.
- FSMA32.
- FSMB32.
- FSPEX.
- FSSM32.
- F-STOPW.
- GCASDTSERV.
- GCASSERV.
- GIANTANTISPYWARE.
- GUARDGUI.
- GUARDNT.
- GUARDXSERVICE.
- GUARDXKICKOFF.
- HREGMON.
- HRRES.
- SITECLI.
- SPBBCSVC.
- SPHINX.
- SPIDERCPL.
- SPIDERML.
- SPIDERNT.
- SPIDERUI.
- SPYBOTSD.
- SPYXX.
- SS3EDIT.
- STOPSIGNAV.
- SWAGENT.
- SWDOCTOR.
- SWNETSUP.
- SYMLCSVC.
- SYMPROXYSVC.
- SYMSPORT.
- SYMWSC.
- SYNMGR.
- TAUMON.
- TBMON.
- TMLISTEN.
- TMNTSRV.
- TMPROXY.
- TNBUTIL.
- TRJSCAN.
- VBA32ECM.
- VBA32IFS.
- VBA32LDR.
- VBA32PP3.
- VBSNTW.
- VCRMON.
- VPTRAY.
- VRFWSVC.
- VRMONNT.
- VRMONSVC.
- VRRW32.
- VSECOMR.
- VSHWIN32.
- VSMON.
- VSSERV.
- VSSTAT.
- WATCHDOG.
- WEBSCANX.
- WINSSNOTIFY.
- WRCTRL.
- XCOMMSVR.
- ZLCLIENT.
- ZONEALARM.
- HSOCKPE.
- HUPDATE.
- IAMAPP.
- IAMSERV.
- ICLOAD95.
- ICLOADNT.
- ICMON.
- ICSSUPPNT.
- ICSUPP95.
- ICSUPPNT.
- IPTRAY.
- INETUPD.
- INOCIT.
- INORPC.
- INORT.
- INOTASK.
- INOUPTNG.
- IOMON98.
- ISAFE.
- ISATRAY.
- KAV.
- KAVMM.
- KAVPF.
- KAVPFW.
- KAVSTART.
- KAVSVC.
- KAVSVCUI.
- KMAILMON.
- MAMUTU.
- MCAGENT.
- MCMNHDLR.
- MCREGWIZ.
- MCUPDATE.
- MCVSSHLD.
- MINILOG.
- MYAGTSVC.
- MYAGTTRY.
- NAVAPSVC.
- NAVAPW32.
- NAVLU32.
- NAVW32.
- NEOWATCHLOG.
- NEOWATCHTRAY.
- NISSERV.
- NISUM.
- NMAIN.
- NOD32.
- NORMIST.
- NOTSTART.
- NPAVTRAY.
- NPFMNTOR.
- NPFMSG.
- AVPM.
- A2GUARD.
- A2CMD.
- A2SERVICE.
- A2FREE.
- AVAST.
- AVGEMC.
- AVGFWSRV.
- AVGNT.
Download Routine
This file infector accesses the following websites to download files:
- http://{BLOCKED}wel.fm.{BLOCKED}a.pl/logos.gif
- http://{BLOCKED}tara.com/logof.gif
- http://{BLOCKED}lie.com/images/logos.gif
- http://{BLOCKED}nt-eg.com/images/logosa.gif
- http://www.{BLOCKED}ogullari.com/logof.gif
- http://www.{BLOCKED}becreatives.com/logos.gif
- http://{BLOCKED}metgrup.com/images/logosa.gif
- http://{BLOCKED}uncil.ya.{BLOCKED}c.de/images/logos.gif
- http://{BLOCKED}asa.com/images/logos.gif
- http://{BLOCKED}.{BLOCKED}.19.14/logo.gif
- http://www.{BLOCKED}y.com.mx/images/xs.jpg
- http://{BLOCKED}o.ir/pictures/xs.jpg
- http://{BLOCKED}yekta.com/logos.gif
- http://{BLOCKED}porizona.com.br/s.jpg
- http://www.{BLOCKED}stcreation.com/images/xs.jpg
- http://www.{BLOCKED}reklam.com/logof.gif
- http://{BLOCKED}btakeran.com/images/xs.jpg
- http://{BLOCKED}vhumbetraders.co.za/pics/logos.gif
- http://www.{BLOCKED}nparto.com/images/xs.jpg
- http://{BLOCKED}asanchez.com/s.jpg
- http://{BLOCKED}resi.net/logof.gif
- http://{BLOCKED}ndation.org/images/xs.jpg
- http://{BLOCKED}rma.net/imagens/logof.gif
NOTES:
Its infected files are detected as PE_SALITY.RL.
It deletes the content of the SafeBoot Registry.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by PE_SALITY.RL-O. (Note: Please skip this step if the threat(s) listed below have already been removed.)
- PE_SALITY.RL
Step 3
Identify and delete files detected as PE_SALITY.RL-O using the Recovery Console
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
- Type = "1"
- Type = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
- Start = "3"
- Start = "3"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
- ErrorControl = "1"
- ErrorControl = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
- DisplayName = "amsint32"
- DisplayName = "amsint32"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
- ImagePath = "\??\%Windows%\drivers\{random file name}.sys"
- ImagePath = "\??\%Windows%\drivers\{random file name}.sys"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Enum
- 0 = "Root\LEGACY_AMSINT32\0000"
- 0 = "Root\LEGACY_AMSINT32\0000"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Enum
- Count = "1"
- Count = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Enum
- NextInstance = "1"
- NextInstance = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusDisableNotify = "1"
- AntiVirusDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallDisableNotify = "1"
- FirewallDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallOverride = "1"
- FirewallOverride = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UpdatesDisableNotify = "1"
- UpdatesDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UacDisableNotify = "1"
- UacDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UacDisableNotify = "1"
- UacDisableNotify = "1"
- In HKEY_CURRENT_USER\Software\Afukx
- w{number}_{number} = "{hex value}"
- w{number}_{number} = "{hex value}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = "0"
- EnableLUA = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusOverride = "1"
- AntiVirusOverride = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- {malware path}\{malware file name} = "{malware path}\{malware file name}:*:Enabled:ipsec"
- {malware path}\{malware file name} = "{malware path}\{malware file name}:*:Enabled:ipsec"
Step 5
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- From: EnableFirewall = "0"
To: EnableFirewall = "1"
- From: EnableFirewall = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- From: DisableNotifications = "1"
To: DisableNotifications = "0"
- From: DisableNotifications = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusDisableNotify = "1"
To: AntiVirusDisableNotify = "0"
- From: AntiVirusDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallDisableNotify = "1"
To: FirewallDisableNotify = "0"
- From: FirewallDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: UpdatesDisableNotify = "1"
To: UpdatesDisableNotify = "0"
- From: UpdatesDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusOverride = "1"
To: AntiVirusOverride = "0"
- From: AntiVirusOverride = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallOverride = "1"
To: FirewallOverride = "0"
- From: FirewallOverride = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: Hidden = "2"
To: Hidden = "1"
- From: Hidden = "2"
Step 6
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- amsint32
- amsint32
- In HKEY_CURRENT_USER\Software
- Afukx
- Afukx
Step 7
Search and delete AUTORUN.INF files created by PE_SALITY.RL-O that contain these strings
[AutoRun]
;{garbage characters}
shell\explore\command = {random}.{exe/pif}
;{garbage characters}
open = {random file name}.exe
;{garbage characters}
shell\open\command = {random}.{exe/pif}
shell\open\default = 1
;{garbage characters}
shell\autoplay\command = {random}.{exe/pif}
;{garbage characters}
Step 8
Scan your computer with your Trend Micro product to delete files detected as PE_SALITY.RL-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 9
Restore this deleted registry key/value from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- SafeBoot
- SafeBoot
Did this description help? Tell us how we did.