Original Issue Date:- December 06, 2012
Virus Type:- Trojan/Backdoor Severity:-High
It has been observed that new variants of malware
- Spam relay
- Exfiltrating sensitive information/data
- Install trojan backdoor
- Install key logger
- Compromising web servers
- Coordinating distributed computing tasks (e.g. password cracking)
Aliases: W32/Sality, W32.HLLP.Sality, Win32.Sality, WinNT/Sality, Virus:Win32/Sality, Worm:Win32/Sality, TrojanDropper:Win32/Sality, Trojan:WinNT/Sality, Mal/Sality-PE_SALITY, Gen:Win32.Sality, Troj/SalLoad, W32/Kookoo-(Sophos), Virus:Win32/Sality.AT (Microsoft), W32/Sality.B.gen!Eldorado (Command), W32/Sality.AT (Avira), Win32/Sality.AA (CA), Win32.Sector.21 (Dr.Web), Win32/Sality.NBA (ESET), Trojan.Win32.Vilsel.vyy (Kaspersky), W32/Sality.gen.e (McAfee), W32/Sality.BD (Norman), W32/Spamta.QO.worm (Panda), Win32.KUKU.kj (Rising AV), Troj/SalLoad-A (Sophos), PE_SALITY.BA (Trend Micro)
Symptoms of possible infection:
The following system changes may indicate the presence of this malware:
- Sudden termination of certain security-related applications, processes or services
- Inability to run Windows Registry Editor
- User lockouts
- Traffic on port 445 on non-Directory Service servers
- No access to admin shares
- Autorun.inf files in recycled directory
- The presence of the following driver:
- Failure for certain security-related applications to run due to deletion of installed components such as files with the following extensions:
Some variants of Sality uses DLL droped, for e.g.
The DLL file contains the bulk of the virus code. The file with the extension ".dl_" is the compressed copy. Some variants of Sality drops a device driver as the following:
%SystemRoot%\system32\drivers\amsint32.sys - Trojan:WinNT/Sality
It creates and starts a system service to run the dropped driver component. Later it communicates with the driver component to restore System Service Dispatch Table (SSDT).
For details regarding Propagation Methods and Payload refer to the following document
CERT-In Virus Alert - Virus: Win32/Sality
Downloads arbitrary files
Some of the Sality variants attempts to download files from remote servers, then decrypts and executes the downloaded files from the following servers:
(This should not be treated as comprehensive list) [Replace "[d0t]" with "."]
- 1[d0t] yimg[d0t]com
- Disable the Autorun functionality in Windows http://support.microsoft.com/kb/967715
- Keep up-to-date patches and fixes on the operating system and application software.
- Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
- Do not follow unsolicited web links or attachments in email messages.
- Exercise caution while visiting links to Web pages.
- Do not visit untrusted websites.
- Use strong passwords and also enable password policies.
- Enable firewall at desktop and gateway level.
- Protect yourself against social engineering attacks.
- Monitor systems making connections to the abovementioned domains
- Monitor traffic for abovementioned domain names
- Monitor or Block traffic on port 445 on non-Directory Service servers