Virus.Win32.SALITY.RT

• 
  Threat Type: Virus
• 
  Destructiveness: No
• 
  Encrypted: No
• 
  In the wild: Yes

OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware, Propagates via removable drives, Propagates via shared drives

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates certain registry entries to disable applications related to security.

It drops copies of itself in all removable and physical drives found in the system. It drops copies of itself into network drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies certain registry entries to hide Hidden files.

TECHNICAL DETAILS

Payload: Drops files, Modifies system registry, Modifies files, Terminates processes, Disables AV, Connects to URLs/IPs, Hides files and processes

Arrival Details

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other System Modifications

• %User Temp%\

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following line(s)/entry(ies) in the SYSTEM.INI file:

It adds the following registry entries:

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUsersOffline = 0

(Note: The default value data of the said registry entry is 1.)

(Note: The default value data of the said registry entry is 1.)

(Note: The default value data of the said registry entry is 1.)

(Note: The default value data of the said registry entry is 0.)

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entries to disable applications related to security:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

It deletes the following registry keys:

File Infection

• .EXE/.exe
• .SCR/.scr

• AVPM
• A2GUARD
• A2CMD
• A2SERVICE
• A2FREE
• AVAST
• ADVCHK
• AGB
• AKRNL
• AHPROCMONSERVER
• AIRDEFENSE
• ALERTSVC
• AVIRA
• AMON
• TROJAN
• AVZ
• ANTIVIR
• APVXDWIN
• ARMOR2NET
• ASHAVAST
• ASHDISP
• ASHENHCD
• ASHMAISV
• ASHPOPWZ
• ASHSERV
• ASHSIMPL
• ASHSKPCK
• ASHWEBSV
• ASWUPDSV
• ASWSCAN
• AVCIMAN
• AVCONSOL
• AVENGINE
• AVESVC
• AVEVAL
• AVEVL32
• AVGAM
• AVGCC
• AVGCHSVX
• AVGCSRVX
• AVGNSX
• AVGCC32
• AVGCTRL
• AVGEMC
• AVGFWSRV
• AVGNT
• AVCENTER
• AVGNTMGR
• AVGSERV
• AVGTRAY
• AVGUARD
• AVGUPSVC
• AVGWDSVC
• AVINITNT
• AVKSERV
• AVKSERVICE
• AVKWCTL
• AVP
• AVP32
• AVPCC
• AVAST
• AVSERVER
• AVSCHED32
• AVSYNMGR
• AVWUPD32
• AVWUPSRV
• AVXMONITOR
• AVXQUAR
• BDSWITCH
• BLACKD
• BLACKICE
• CAFIX
• BITDEFENDER
• CCEVTMGR
• CFP
• CFPCONFIG
• CCSETMGR
• CFIAUDIT
• CLAMTRAY
• CLAMWIN
• CUREIT
• DEFWATCH
• DRVIRUS
• DRWADINS
• DRWEB
• DEFENDERDAEMON
• DWEBLLIO
• DWEBIO
• ESCANH95
• ESCANHNT
• EWIDOCTRL
• EZANTIVIRUSREGISTRATIONCHECK
• F-AGNT95
• FAMEH32
• FILEMON
• FIREWALL
• FORTICLIENT
• FORTITRAY
• FORTISCAN
• FPAVSERVER
• FPROTTRAY
• FPWIN
• FRESHCLAM
• EKRN
• FSAV32
• FSAVGUI
• FSBWSYS
• F-SCHED
• FSDFWD
• FSGK32
• FSGK32ST
• FSGUIEXE
• FSMA32
• FSMB32
• FSPEX
• FSSM32
• F-STOPW
• GCASDTSERV
• GCASSERV
• GIANTANTISPYWARE
• GUARDGUI
• GUARDNT
• GUARDXSERVICE
• GUARDXKICKOFF
• HREGMON
• HRRES
• HSOCKPE
• HUPDATE
• IAMAPP
• IAMSERV
• ICLOAD95
• ICLOADNT
• ICMON
• ICSSUPPNT
• ICSUPP95
• ICSUPPNT
• IPTRAY
• INETUPD
• INOCIT
• INORPC
• INORT
• INOTASK
• INOUPTNG
• IOMON98
• ISAFE
• ISATRAY
• KAV
• KAVMM
• KAVPF
• KAVPFW
• KAVSTART
• KAVSVC
• KAVSVCUI
• KMAILMON
• MAMUTU
• MCAGENT
• MCMNHDLR
• MCREGWIZ
• MCUPDATE
• MCVSSHLD
• MINILOG
• MYAGTSVC
• MYAGTTRY
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVW32
• NEOWATCHLOG
• NEOWATCHTRAY
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORMIST
• NOTSTART
• NPAVTRAY
• NPFMNTOR
• NPFMSG
• NPROTECT
• NSCHED32
• NSMDTR
• NSSSERV
• NSSTRAY
• NTRTSCAN
• NTOS
• NTXCONFIG
• NUPGRADE
• NVCOD
• NVCTE
• NVCUT
• NWSERVICE
• OFCPFWSVC
• OUTPOST
• ONLINENT
• OPSSVC
• OP_MON
• PAVFIRES
• PAVFNSVR
• PAVKRE
• PAVPROT
• PAVPROXY
• PAVPRSRV
• PAVSRV51
• PAVSS
• PCCGUIDE
• PCCIOMON
• PCCNTMON
• PCCPFW
• PCCTLCOM
• PCTAV
• PERSFW
• PERTSK
• PERVAC
• PESTPATROL
• PNMSRV
• PREVSRV
• PREVX
• PSIMSVC
• QUHLPSVC
• QHONLINE
• QHONSVC
• QHWSCSVC
• QHSET
• RFWMAIN
• RTVSCAN
• RTVSCN95
• SALITY
• SAPISSVC
• SCANWSCS
• SAVADMINSERVICE
• SAVMAIN
• SAVPROGRESS
• SAVSCAN
• SCANNINGPROCESS
• SDRA64
• SDHELP
• SHSTAT
• SITECLI
• SPBBCSVC
• SPHINX
• SPIDERCPL
• SPIDERML
• SPIDERNT
• SPIDERUI
• SPYBOTSD
• SPYXX
• SS3EDIT
• STOPSIGNAV
• SWAGENT
• SWDOCTOR
• SWNETSUP
• SYMLCSVC
• SYMPROXYSVC
• SYMSPORT
• SYMWSC
• SYNMGR
• TAUMON
• TBMON
• TMLISTEN
• TMNTSRV
• TMPROXY
• TNBUTIL
• TRJSCAN
• VBA32ECM
• VBA32IFS
• VBA32LDR
• VBA32PP3
• VBSNTW
• VCRMON
• VPTRAY
• VRFWSVC
• VRMONNT
• VRMONSVC
• VRRW32
• VSECOMR
• VSHWIN32
• VSMON
• VSSERV
• VSSTAT
• WATCHDOG
• WEBSCANX
• WINSSNOTIFY
• WRCTRL
• XCOMMSVR
• ZLCLIENT
• ZONEALARM

• Protected System Files
• Files in CD-ROM drives

Propagation

This Virus drops copies of itself in all removable and physical drives found in the system.

It drops copies of itself into network drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

*Note: The order of the strings varies and the combination of uppercase and lowercase letters also varies*

Process Termination

• AVP
• Agnitum Client Security Service
• ALG
• Amon monitor
• aswUpdSv
• aswMon2
• aswRdr
• aswSP
• aswTdi
• aswFsBlk
• acssrv
• AV Engine
• avast! iAVS4 Control Service
• avast! Antivirus
• avast! Mail Scanner
• avast! Web Scanner
• avast! Asynchronous Virus Monitor
• avast! Self Protection
• AVG E-mail Scanner
• Avira AntiVir Premium Guard
• Avira AntiVir Premium WebGuard
• Avira AntiVir Premium MailGuard
• BGLiveSvc
• BlackICE
• CAISafe
• ccEvtMgr
• ccProxy
• ccSetMgr
• COMODO Firewall Pro Sandbox Driver
• cmdGuard
• cmdAgent
• Eset Service
• Eset HTTP Server
• Eset Personal Firewall
• F-Prot Antivirus Update Monitor
• fsbwsys
• FSDFWD
• F-Secure Gatekeeper Handler Starter
• FSMA
• Google Online Services
• InoRPC
• InoRT
• InoTask
• ISSVC
• KPF4
• KLIF
• LavasoftFirewall
• LIVESRV
• McAfeeFramework
• McShield
• McTaskManager
• MpsSvc
• navapsvc
• NOD32krn
• NPFMntor
• NSCService
• Outpost Firewall main module
• OutpostFirewall
• PAVFIRES
• PAVFNSVR
• PavProt
• PavPrSrv
• PAVSRV
• PcCtlCom
• PersonalFirewal
• PREVSRV
• ProtoPort Firewall service
• PSIMSVC
• RapApp
• SharedAccess
• SmcService
• SNDSrvc
• SPBBCSvc
• SpIDer FS Monitor for Windows NT
• SpIDer Guard File System Monitor
• SPIDERNT
• Symantec Core LC
• Symantec Password Validation
• Symantec AntiVirus Definition Watcher
• SavRoam
• Symantec AntiVirus
• Tmntsrv
• TmPfw
• UmxAgent
• UmxCfg
• UmxLU
• UmxPol
• vsmon
• VSSERV
• WebrootDesktopFirewallDataService
• WebrootFirewall
• wscsvc
• XCOMM

• AVPM
• A2GUARD
• A2CMD
• A2SERVICE
• A2FREE
• AVAST
• ADVCHK
• AGB
• AKRNL
• AHPROCMONSERVER
• AIRDEFENSE
• ALERTSVC
• AVIRA
• AMON
• TROJAN
• AVZ
• ANTIVIR
• APVXDWIN
• ARMOR2NET
• ASHAVAST
• ASHDISP
• ASHENHCD
• ASHMAISV
• ASHPOPWZ
• ASHSERV
• ASHSIMPL
• ASHSKPCK
• ASHWEBSV
• ASWUPDSV
• ASWSCAN
• AVCIMAN
• AVCONSOL
• AVENGINE
• AVESVC
• AVEVAL
• AVEVL32
• AVGAM
• AVGCC
• AVGCHSVX
• AVGCSRVX
• AVGNSX
• AVGCC32
• AVGCTRL
• AVGEMC
• AVGFWSRV
• AVGNT
• AVCENTER
• AVGNTMGR
• AVGSERV
• AVGTRAY
• AVGUARD
• AVGUPSVC
• AVGWDSVC
• AVINITNT
• AVKSERV
• AVKSERVICE
• AVKWCTL
• AVP
• AVP32
• AVPCC
• AVAST
• AVSERVER
• AVSCHED32
• AVSYNMGR
• AVWUPD32
• AVWUPSRV
• AVXMONITOR
• AVXQUAR
• BDSWITCH
• BLACKD
• BLACKICE
• CAFIX
• BITDEFENDER
• CCEVTMGR
• CFP
• CFPCONFIG
• CCSETMGR
• CFIAUDIT
• CLAMTRAY
• CLAMWIN
• CUREIT
• DEFWATCH
• DRVIRUS
• DRWADINS
• DRWEB
• DEFENDERDAEMON
• DWEBLLIO
• DWEBIO
• ESCANH95
• ESCANHNT
• EWIDOCTRL
• EZANTIVIRUSREGISTRATIONCHECK
• F-AGNT95
• FAMEH32
• FILEMON
• FIREWALL
• FORTICLIENT
• FORTITRAY
• FORTISCAN
• FPAVSERVER
• FPROTTRAY
• FPWIN
• FRESHCLAM
• EKRN
• FSAV32
• FSAVGUI
• FSBWSYS
• F-SCHED
• FSDFWD
• FSGK32
• FSGK32ST
• FSGUIEXE
• FSMA32
• FSMB32
• FSPEX
• FSSM32
• F-STOPW
• GCASDTSERV
• GCASSERV
• GIANTANTISPYWARE
• GUARDGUI
• GUARDNT
• GUARDXSERVICE
• GUARDXKICKOFF
• HREGMON
• HRRES
• HSOCKPE
• HUPDATE
• IAMAPP
• IAMSERV
• ICLOAD95
• ICLOADNT
• ICMON
• ICSSUPPNT
• ICSUPP95
• ICSUPPNT
• IPTRAY
• INETUPD
• INOCIT
• INORPC
• INORT
• INOTASK
• INOUPTNG
• IOMON98
• ISAFE
• ISATRAY
• KAV
• KAVMM
• KAVPF
• KAVPFW
• KAVSTART
• KAVSVC
• KAVSVCUI
• KMAILMON
• MAMUTU
• MCAGENT
• MCMNHDLR
• MCREGWIZ
• MCUPDATE
• MCVSSHLD
• MINILOG
• MYAGTSVC
• MYAGTTRY
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVW32
• NEOWATCHLOG
• NEOWATCHTRAY
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORMIST
• NOTSTART
• NPAVTRAY
• NPFMNTOR
• NPFMSG
• NPROTECT
• NSCHED32
• NSMDTR
• NSSSERV
• NSSTRAY
• NTRTSCAN
• NTOS
• NTXCONFIG
• NUPGRADE
• NVCOD
• NVCTE
• NVCUT
• NWSERVICE
• OFCPFWSVC
• OUTPOST
• ONLINENT
• OPSSVC
• OP_MON
• PAVFIRES
• PAVFNSVR
• PAVKRE
• PAVPROT
• PAVPROXY
• PAVPRSRV
• PAVSRV51
• PAVSS
• PCCGUIDE
• PCCIOMON
• PCCNTMON
• PCCPFW
• PCCTLCOM
• PCTAV
• PERSFW
• PERTSK
• PERVAC
• PESTPATROL
• PNMSRV
• PREVSRV
• PREVX
• PSIMSVC
• QUHLPSVC
• QHONLINE
• QHONSVC
• QHWSCSVC
• QHSET
• RFWMAIN
• RTVSCAN
• RTVSCN95
• SALITY
• SAPISSVC
• SCANWSCS
• SAVADMINSERVICE
• SAVMAIN
• SAVPROGRESS
• SAVSCAN
• SCANNINGPROCESS
• SDRA64
• SDHELP
• SHSTAT
• SITECLI
• SPBBCSVC
• SPHINX
• SPIDERCPL
• SPIDERML
• SPIDERNT
• SPIDERUI
• SPYBOTSD
• SPYXX
• SS3EDIT
• STOPSIGNAV
• SWAGENT
• SWDOCTOR
• SWNETSUP
• SYMLCSVC
• SYMPROXYSVC
• SYMSPORT
• SYMWSC
• SYNMGR
• TAUMON
• TBMON
• TMLISTEN
• TMNTSRV
• TMPROXY
• TNBUTIL
• TRJSCAN
• VBA32ECM
• VBA32IFS
• VBA32LDR
• VBA32PP3
• VBSNTW
• VCRMON
• VPTRAY
• VRFWSVC
• VRMONNT
• VRMONSVC
• VRRW32
• VSECOMR
• VSHWIN32
• VSMON
• VSSERV
• VSSTAT
• WATCHDOG
• WEBSCANX
• WINSSNOTIFY
• WRCTRL
• XCOMMSVR
• ZLCLIENT
• ZONEALARM

Dropping Routine

• %User Temp%\.exe ← Deleted afterwards
• %User Temp%\.exe ← Deleted afterwards
• %User Temp%\.exe ← Deleted afterwards

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Download Routine

• http://...154/testo5/
• http://ustnet777.info/home.gif/
• http://ustnet888.info/home.gif/
• http://ustnet987.info/home.gif/

Other Details

This Virus modifies the following registry entries to hide Hidden files:

It adds and runs the following services:

• It deletes all files with .exe file extensions in %User Temp% folder

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)