Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Sality.T is a polymorphic file infector.
Installation
When executed, the virus drops the following files in the %system% folder:
  • oledsp32.dl_ (18902 B)
  • oledsp32.dll (26624 B)
Executable files infection
Win32/Sality.T is a polymorphic file infector.

The virus searches for executables with one of the following extensions:
  • .exe
  • .scr
Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:
  • AHEAD
Files are infected by adding a new section that contains the virus .

Size of the code inserted is 20 KB . The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus infects files referenced by the following Registry entries:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
This causes the virus to be executed on every system start.
Information stealing
Win32/Sality.T is a virus that steals sensitive information.

The following information is collected:
  • user name
  • computer name
  • malware version
The data is saved in the following file:
  • %system%\TFTempCache
The virus sends the information via e-mail. The virus uses the following SMTP server:
  • msx.mail.ru
The sender address is one of the following:
  • CyberMazafaka@mailru.com
The recipient address is one of the following:
  • sector2007@list.ru
  • bespontovij@list.ru
The name of the attached file is following:
  • readme.tjc
  • TFTempCache.tjc
Other information
If the current system date and time matches certain conditions, the virus displays the following message:
  • WIN32.HLLP.KUKU v3.0b
  • <<<<< Hey, Lamer! Say "Bye-bye" to your data! >>>>>
    Copyright (c) by Sector
The following files are deleted:
  • *.vdb
  • *.avc
  • *drw*.key
The virus modifies the following file:
  • %windir%\system.ini
The virus writes the following entries to the file:
  • [TFTempCache]
  • RtlMoveMemory=%number%
  • MPR=%number%
The %number% stands for a variable 1 digit number.