When I noticed that most of the visitors to my blog are searching for the remedies for infection by Sality Virus. I have already put a brief post on Sality virus at creatingcomputervirus.blogspot.com/2010/03/sality-virus-symptoms-and-removal.html. Now I think more information must be provided innorder to satisfy the visitors. Sality is also known as W32/Kookoo-A [Sophos]. Sality was discovered in 2003 June 4. It affects the Operating Systems - Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000.
It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. When it infected my system, it disabled my antivirus software (BitDefender Free Edition), and antimalware software (MalwareBytes Free Edition). It also prevent the use of the anti rootkit software Rootkit Revealer.
Some forms of Sality virus is reported to steal the key strokes from the infected machines for malicious purposes.W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file. In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts. Thus infected computer is like a country under the rule of the terrorists. All the security will be paralysed leading to complete crack down of the system. Sality will also prevent the installation of the antivirus in to the infected computer.
In 2003 when it was first discovered, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality. As years passed, it became more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.
As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.
Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.
Technical Details:
In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Files Created:
%System%\drivers\[RANDOM FILE NAME]
Registry Subkeys Created:
HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
Registry entries deleted
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Registry entries modified (final values given)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
Process Injected:
W32.Sality will not inject into processes that belong to the system, the local service or the network service. However, it does inject complex code instructions into other processes, allowing the code to load external DLLs that are downloaded from remote servers into target processes. This virus uses a named mutex based on the injected process ID (PID) for each injection so that it avoid repeatedly injecting code into the same processes.
Recommendations:
Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
Removal:
Since it is hard to install antivirus software in an infected system, it is better to remove it by scanning the infected computer from another computer with an antivirus software capable of detecting and removing Sality virus. Otherwise you may try manual removal which is not recommended.
very good...it is too helpful for me to know what a virus does
ReplyDeletenice blog thanks for sharing keep it:-
ReplyDeleteGet complete support for your computers, laptops, printers,network security, software errors etc by certified tech-experts of We24Support immediately at toll free no 1 888 399 9656; active throughout 24/7/365 via remote assistance.