Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sality.NAU

Aliases:Virus.Win32.Sality.aa (Kaspersky), W32.Sality.AE (Symantec), Virus:Win32/Sality.AM (Microsoft) 
Type of infiltration:Virus  
Size:Variable  
Affected platforms:Microsoft Windows 
Signature database version:3499 (20081007) 

Short description

Win32/Sality.NAU is a polymorphic file infector.

Installation

When executed the virus drops in folder %system%drivers the following file:
  • %variable%.sys (5669 B)
%variable% stands for a random text.

Installs the following system drivers (path, name):
  • %system%drivers%variable%.sys, abp470n5
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    %filename%" = "%filename%:*:Enabled:ipsec"
The performed data entry creates an exception in the Windows Firewall program.

The following Registry entries are set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "Hidden" = 2
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Policiessystem]
    "DisableTaskMgr" = 1
    "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "Hidden" = 2
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Policiessystem]
    "DisableTaskMgr" = 1
    "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
    "AntiVirusOverride" = 1
    "AntiVirusDisableNotify" = 1
    "FirewallDisableNotify" = 1
    "FirewallOverride" = 1
    "UpdatesDisableNotify" = 1
    "UacDisableNotify" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
    Svc]
    "AntiVirusOverride" = 1
    "AntiVirusDisableNotify" = 1
    "FirewallDisableNotify" = 1
    "FirewallOverride" = 1
    "UpdatesDisableNotify" = 1
    "UacDisableNotify" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiessystem]
    "EnableLUA"=0
  • [HKEY_CURRENT_USERSoftware%username%914]
The following Registry entries are removed:
  • [HKEY_CURRENT_USERSystemCurrentControlSetControl
    SafeBoot]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    SafeBoot]
The virus creates and runs a new thread with its own program code in all running processes.

Executable file infection

Win32/Sality.NAU is a polymorphic file infector.

The virus searches local and network drives for files with one of the following extensions:
  • .exe
  • .scr
Files are infected by adding a new section that contains the virus .

The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus infects files referenced by the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoam
    MUICache]
If a folder name matches one of the following strings, files inside it are not infected:
  • SYSTEM
  • WINDOWS
  • SYSTEM32

Spreading on removable media

The virus copies itself into the root folders of removable drives using the following filename:
  • %variable%
A string with variable content is used instead of %variable%.

The filename has one of the following extensions:
  • .exe
  • .pif
  • .cmd
The following file is dropped in the same folder:
  • autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The virus executes the following command:
  • netsh firewall set opmode disable
The following files are deleted:
  • *.VBD
  • *.AVC
The virus terminates processes with any of the following strings in the name:
  • _AVPM.
  • A2GUARD.
  • AAVSHIELD.
  • ADVCHK.
  • AHNSD.
  • AIRDEFENSE
  • _AVPM.
  • A2GUARD.
  • AAVSHIELD.
  • ADVCHK.
  • AHNSD.
  • AIRDEFENSE
  • ALERTSVC
  • ALOGSERV
  • ALSVC.
  • AMON.
  • ANTI-TROJAN.
  • ANTIVIR
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWUPDSV.
  • ATCON.
  • ATUPDATER.
  • ATWATCH.
  • AVAST
  • AVAST
  • AVAST
  • AVCENTER.
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVESVC.
  • AVGAMSVR.
  • AVGCC.
  • AVGCC32.
  • AVGCTRL.
  • AVGEMC.
  • AVGFWSRV.
  • AVGNT
  • AVGNT.
  • AVGNTDD
  • AVGNTMGR
  • AVGSERV.
  • AVGUARD.
  • AVGUPSVC.
  • AVINITNT.
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVPM.
  • AVSERVER.
  • AVSCHED32.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR9X.
  • AVXMONITORNT.
  • AVXQUAR.
  • AVZ.
  • BDMCON.
  • BDNEWS.
  • BDSUBMIT.
  • BDSWITCH.
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • CCAPP.
  • CCEVTMGR.
  • CCPROXY.
  • CCSETMGR.
  • CFIAUDIT.
  • CLAMTRAY.
  • CLAMWIN.
  • CLAW95.
  • CUREIT
  • CUREIT
  • DEFWATCH.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB32W.
  • DRWEBSCD.
  • DRWEBUPW.
  • DWEBIO
  • DWEBLLIO
  • EKRN.
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FILEMON
  • FIRESVC.
  • FIRETRAY.
  • FIREWALL.
  • FPAVUPDM.
  • F-PROT95.
  • FRESHCLAM.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • F-SCHED.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWAREMAIN.
  • GIANTANTISPYWAREUPDATER.
  • GUARDGUI.
  • GUARDNT.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • IFACE.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • ISAFE.
  • ISATRAY.
  • ISRV95.
  • ISSVC.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • KPFWSVC.
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTOS.
  • NTRTSCAN.
  • NTXCONFIG.
  • NUPGRADE.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • OP_MON.
  • OUTPOST
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PNMSRV.
  • POP3TRAP.
  • POPROXY.
  • PREVSRV.
  • PSIMSVC.
  • QHM32.
  • QHONLINE.
  • QHONSVC.
  • QHPF.
  • QHWSCSVC.
  • RAVMON.
  • RAVTIMER.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • RULAUNCH.
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCANNINGPROCESS.
  • SDHELP.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERCPL.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • SYMWSC.
  • SYNMGR.
  • TAUMON.
  • TBMON.
  • TFAK.
  • THAV.
  • THSM.
  • TMAS.
  • TMLISTEN.
  • TMNTSRV.
  • TMPFW.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • UP2DATE.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCRMON.
  • VETTRAY.
  • VCHK.
  • VIRUSKEEPER.
  • VPTRAY.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBPROXY.
  • WEBSCANX.
  • WEBTRAP.
  • WGFE95.
  • WINAW32.
  • WINROUTE.
  • WINSS.
  • WINSSNOTIFY.
  • WRCTRL.
  • XCOMMSVR.
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM
The following services are disabled:
  • acssrv
  • Agnitum Client Security Service
  • ALG
  • Amon monitor
  • aswFsBlk
  • aswMon2
  • acssrv
  • Agnitum Client Security Service
  • ALG
  • Amon monitor
  • aswFsBlk
  • aswMon2
  • aswRdr
  • aswSP
  • aswTdi
  • aswUpdSv
  • AV Engine
  • avast! Antivirus
  • avast! Asynchronous Virus Monitor
  • avast! iAVS4 Control Service
  • avast! Mail Scanner
  • avast! Self Protection
  • avast! Web Scanner
  • AVG E-mail Scanner
  • Avira AntiVir Premium Guard
  • Avira AntiVir Premium MailGuard
  • Avira AntiVir Premium WebGuard
  • AVP
  • avp1
  • BackWeb Plug-in - 4476822
  • bdss
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • Eset HTTP Server
  • Eset Personal Firewall
  • Eset Service
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • Google Online Services
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KLIF
  • KPF4
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SavRoam
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpIDer FS Monitor for Windows NT
  • SpIDer Guard File System Monitor
  • SPIDERNT
  • Symantec AntiVirus
  • Symantec AntiVirus Definition Watcher
  • Symantec Core LC
  • Symantec Password Validation
  • tcpsr
  • Tmntsrv
  • TmPfw
  • tmproxy
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM
The virus blocks access to any domains that contain any of the following strings in their name:
  • agnmitum.
  • bitdefender.
  • cureit
  • drweb.
  • eset.com
  • etrust.com
  • agnmitum.
  • bitdefender.
  • cureit
  • drweb.
  • eset.com
  • etrust.com
  • ewido.
  • f-secure.
  • kaspersky
  • mcafee.
  • onlinescan.
  • pandasoftware.
  • sality-remov
  • sophos.
  • spywareguide.
  • spywareinfo.
  • symantec.
  • trendmicro.
  • upload_virus
  • virusinfo.
  • virusscan.
  • virustotal.
  • windowsecurity.
The virus modifies the following file:
  • SYSTEM.INI
The virus writes the following entries to the file:
  • [MCIDRV_VER]
    DEVICEMB=%number%
The %number% stands for a random number.

The virus is sent data and commands from a remote computer or the Internet.

The virus contains a list of (4) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files