Virus.Win32.Sality_2f48f4b450

by malwarelabrobot on July 6th, 2013 in Malware Descriptions.

Trojan.Win32.Pasta.kri (Kaspersky), Virus.Win32.Sality.at (v) (VIPRE), Trojan.Win32.Pasta!IK (Emsisoft), Virus.Win32.Sality.FD, GenericInjector.YR, VirusSality.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 2f48f4b4501eb16fbcc87894909e5d6a
SHA1: 822e1bd6bf25ce2600bfc970848e7c7ffe3afbfd
SHA256: bd98f81d8f1796ef7f1cda87637a253e1241d58dd4fb77246b9783477cceb8a1
SSDeep: 3072:YQL/bCrWIPe5HL7ubYaYwwaIb D9Xd3xoQkpMGO1:YQL/bCrTfb9maIyDTBEO1
Size: 327680 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1998-11-25 05:37:04


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Virus. A program that recursively replicates a possibly evolved copy of itself.
WormAutorun. A worm spreads via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Virus creates the following process(es):

The Virus injects its code into the following process(es):

2f48f4b4501eb16fbcc87894909e5d6a.exe:1288
cssrs.exe:1236
cssrs.exe:1516

File activity

The process 2f48f4b4501eb16fbcc87894909e5d6a.exe:1288 makes changes in a file system.
The Virus creates and/or writes to the following file(s):

D:\cmip.pif (103 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winxbvfw.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00131291_Rar\2f48f4b4501eb16fbcc87894909e5d6a.exe (1425 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
C:\ahijqh.pif (103 bytes)
D:\autorun.inf (227 bytes)
%Documents and Settings%\%current user%\Application Data\cssrs.exe (1425 bytes)
C:\autorun.inf (243 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001312B0_Rar\2f48f4b4501eb16fbcc87894909e5d6a.exe (1425 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\cssrs.exe (2850 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winxbvfw.exe (0 bytes)

Registry activity

The process 2f48f4b4501eb16fbcc87894909e5d6a.exe:1288 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3432392762"

[HKCU\Software\Aas\695404737]
"35845605" = "333"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.114116.info"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "081561B140D8CF55A618C00E6BD65347188FB1D69E8864C36E480707C3BF5011A3D6ACCFC28870809D79D9AB8A7C52D73D4A7F050A0E26C24251469DAC860F2EE747F1D3D9F117A01C2F9E3C6646611EF66D6F6C9A5188CAB31AE01CAD2EEFE022322DA20C065C26D93F3E9BE72CD42A7A246B0289E81F69DD712306BBBBF7E9"

[HKCU\Software\Aas\695404737]
"43014726" = "0800687474703A2F2F7361676F637567656E632E73612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F7777772E656C656F6E7563636F72696E692E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F796F75756E6574742E796F2E66756E7069632E64652F6C6F676F732E67696600687474703A2F2F747572616E652E74752E66756E7069632E64652F696D672F6C6F676F732E67696600687474703A2F2F797563656C6361766461722E636F6D2F6C6F676F735F732E67696600687474703A2F2F7777772E6C75737465722D6164762E636F6D2F67616C6C6572792F467573696F6E2F696D616765732F6C6F676F732E67696600687474703A2F2F6D6F6368756C6D2E64652F696D616765732F6D61696E2E67696600687474703A2F2F62696F6E65742E636F6D2E74722F6D61696E2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Internet Explorer\AboutURLs]
"blank" = "http://www.114116.info"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.114116.info"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas\695404737]
"7169121" = "57"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C A7 B0 2B AC 76 48 B7 65 78 97 26 4E 9E DC 3E"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"blank" = "http://www.114116.info"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.114116.info"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.114116.info"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Internet Explorer\AboutURLs]
"Tabs" = "http://www.114116.info"

[HKCU\Software\Aas]
"a2_0" = "5517"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"CheckedValue" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs" = "http://www.114116.info"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TINTIMG" = "%Documents and Settings%\%current user%\Application Data\cssrs.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"2f48f4b4501eb16fbcc87894909e5d6a.exe" = "c:\2f48f4b4501eb16fbcc87894909e5d6a.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process cssrs.exe:1236 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB D9 63 C3 49 85 31 DB DE 94 FC 17 79 A3 3F 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process cssrs.exe:1516 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 3E 47 44 5E 66 0C FD DD 12 E9 87 2B E5 E8 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm spreads via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Virus's process (How to End a Process With the Task Manager).
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    D:\cmip.pif (103 bytes)
    %WinDir%\system.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winxbvfw.exe (741 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00131291_Rar\2f48f4b4501eb16fbcc87894909e5d6a.exe (1425 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
    C:\ahijqh.pif (103 bytes)
    D:\autorun.inf (227 bytes)
    %Documents and Settings%\%current user%\Application Data\cssrs.exe (1425 bytes)
    C:\autorun.inf (243 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\001312B0_Rar\2f48f4b4501eb16fbcc87894909e5d6a.exe (1425 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\cssrs.exe (2850 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TINTIMG" = "%Documents and Settings%\%current user%\Application Data\cssrs.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.