Analysis by: Jasen Sumalapao
ALIASES:

Virus:Win32/Virut.BN (Microsoft), W32.Sality!dr (Symantec), W32/Virut.n.gen (NAI), W32/Scribble-B (Sophos), Win32.Virtob.Gen.12 (FSecure), Virus.Win32.Virut.ce.5 (v) (Sunbelt), W32/Virut.AL!Generic (Authentium), Win32.Virtob.Gen.12 (Bitdefender), W32/LPECrypt.A!tr (Fortinet), W32/Virut.AL!Generic (Fprot), Trojan.Sality (Ikarus), Win32/Virut.NBP virus (NOD32), Trojan Sality.dam (Norman), W32/Sality.AK.drp (Panda), Virus.Virut.14 (VBA32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

  TECHNICAL DETAILS

File Size: Varies
Initial Samples Received Date: 25 Mar 2011

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This file infector drops the following component file(s):

  • {%System Root%}\Documents and Settings\All Users\svchost.exe
  • {%System%}\{random characters}.dll

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It injects threads into the following normal process(es):

  • winlogon.exe

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = {%System Root%}\Documents and Settings\All Users\svchost.exe

Other System Modifications

This file infector adds the following registry entries as part of its installation routine:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer
UpdateHost = {random value}

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Connections
DefaultConnectionSettings = {random value}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = \??\C:\%System%\winlogon.exe:*:enabled:@shell32.dll,-1

Download Routine

This file infector connects to the following URL(s) to download its component file(s):

  • http://{BLOCKED}7.net