HOME > VIRUS ALERTS


VIRUS ALERTS

Virus PE_Sality/Beagle

Original issue date: December 14, 2006

It has been observed that variants of virus PE_Sality from SALITY family are circulating widely. The Sality virus uses an infected copy of a Beagle variant to make its propagation faster by sending itself through e-mail attachments. It has key logging and backdoor capabilities.

Aliases: Win32.Sality.A [Computer Associates], Virus.Win32.Sality.{a-j} [Kaspesky Lab], W32.Sality.{a, b, d-l} [McAfee], W32/Sality-{A, B, E-H} [Sophos], PE_SALITY.{A, H-K} [Trend Micro]

PE_Sality is a polymorphic virus which infects win32 PE executable files. It prepends a decryption routine and appends encrypted copy of itself to the host files. This increases the size of the infected file.

The worm is sending spoofed e-mails harvested from the infected computers with subject lines such as RE: hello and .pif attachments with random names as user{random}.pif

Upon execution of the infected executable file

  • Drops one of the following dll components in the system folder

    • Syslib32.dll
    • Oledsp32.dll
    • Sysdll.dll
    • Olemdb32.dll

  • Creates the following mutexes so that only one instance of it runs on the compromised system.

    • KUKU300a
    • KUKU301a
    • _kuku_joker_v3.09_

  • Searches local drives for files with .exe and .scr for infection.

  • Infects files with .EXE extensions that are referenced as data in the following registry keys:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\run]
    [HLKM\Software\Microsoft\Windows\CurrentVersion\run]

  • Appends following configuration data into the SYSTEM.INI file
    [MCIDRV_VER]
    DEVICE=[RANDOM_NUMBER]

  • Tries to delete files and processes related to some antivirus products.

  • Deletes files that it finds with any of the following extensions:

    • .avc
    • .key
    • .vdb

  • Deletes files with filenames that starts with any of the following strings:

    • ALER
    • ANDA
    • ANTI
    • AVP
    • BIDEF
    • CLEAN
    • GUAR
    • KAV

  • Tries to connect www.microsoft.com for checking internet connectivity.

  • Attempts to connect to the following URLs:

    • www.f5ds1jkkk4d.info
    • www.g1ikdcvns3sdsal.info
    • www.h7smcnrwlsdn34fgv.info
    • www.hkukud123ncs.info
    • www.inform1ongung.info
    • www.kukutrustnet.org
    • www.kukutrustnet7.com
    • www.kukutrustnet7.info
    • www.lukki6nd2kdnc.info

Users are advised to implement the following countermeasures:

  • Keep updated Anti-Virus Signatures.
  • Apply appropriate security updates at the OS level and application level.
  • Exercise caution while visiting untrusted websites and opening email attachments.

References:

http://www.symantec.com/security_response/writeup.jsp?docid=
2006-011714-3948-99&tabid=1

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=52797

http://www.f-secure.com/v-descs/sality_q.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003