July 28, 2007

SALITY - Virus

One day they invited me to disinfect a virus infected computer. I checked certain places on that infected system and guessed that it might be Brontok-Worm there because of it didn’t have “Folder Options” under Tools menu, disabled registry editor and few more. But, I shocked when I found only Sality virus there. I tried enough with my level best and saved its data. But, I advised them to Format and reinstall Windows XP due to slow processing speed and few more reasons that I faced badly. As per my knowledge Sality virus acts as Keylogger so I thought it might be modified Sality virus there.

Sality: It infects Windows operating systems. At the time of execution it performs the following actions: It may drop a .dll file in the C:\Windows\System32 or C:\Windows\Temp The following are some examples of the filenames:

    • SYSLIB32.DLL
    • OLEDSP32.DLL
    • SYSDLL.DLL
    • OLEMDB32.DLL
  1. Creates the mutex named "KUKU300a" so that only one instance of the threat runs on the compromised computer.
  2. May infect executable files registered in the following registry:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run

    Any files infected with this virus will be detected as W32.HLLP.Sality!inf.
  3. Checks the current time and may activate its payload if minutes are equal to hours and if the date is May 1st or the 10th to 12th of any month.
  4. May then activate the payload, and display a message box with the following characteristics:

    Title: Win32.HLLP.Kuku v[VERSION_NUMBER]
    Body:
    <<<<>>>>
    'Copy[REMOVED]tor'
  5. May add its configuration data to the file C:\Windows\System.ini by appending some of the following lines to this file:

    [TFTempCache]
    id=[RANDOM_NUMBER]
    RtlMoveMeory=[RANDOM_NUMBER]
    PING=[NUMBER]
    TIME=[TIME]
  6. May test connectivity by attempting to contact the following host:

    www.microsoft.com
  7. Uses keylogging capabilities to gather the following information from the compromised computer:
    • IP address, host name, and user names
    • Sensitive computer information, such as size of memory, local disks, the Windows version, and product key
    • RAS dialup accounts
    • Net Share passwords
    • Startup programs
    • WebMoney files
  8. Temporarily stores any information it gathers in the following encrypted file:

    %System%\TFTempCache
  9. May send this information to several email addresses located in Russia using the following SMTP server over TCP port 25:

    msx.mail.ru

    This email has the following characteristics:
    From: CyberMazafaka@mailru.com
    To: sector2007@list.ru, bespontovik@list.ru
    Subject: Administrator
    Attachment:
    • readme.tjc
    • TFTempCache.tjc
  10. Contains references to the following IRC server:

    rinet.msk.wenet.ru

    Note: At the time of writing, code to utilize this server is not implemented.
  11. Allows a remote attacker to perform various unauthorized actions on the compromised computer.
  12. May infect executable files by prepending its code to the host file. However, not all the variants of this virus are able to spread in this way. Any infected files will be detected as W32.HLLP.Sality!inf.
  13. May delete the files which have the following extensions when searching for files to infect:
    • .vdb
    • .avc
    • .key
  14. May also delete those file names which begin with the following strings:
    • KAV
    • NOD
    • ANTI
    • SCAN
    • ZONE
    • ANDA
    • TROJ
    • TREN
    • ALER
    • CLEAN
    • OUTP
    • GUAR
    • AVP
    • TOTAL

Countermeasures:

  • Patch your operating system with latest update on regular basis.
  • Turn off and remove unneeded services on your server/systems.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • Use foolproof latest virus with updated signature.
  • Always keep in touch with your employees and aware them against newly arrived viruses/worms or malicious activities on regular basis.

No comments: