[pchelpers] News:7/21: Sality.ah Parasitic Virus Infects PE Executable Files

• From: John Durham <john.modec@xxxxxxxxxx>
• To: PC-Helpers <pchelpers@xxxxxxxxxxxxx>
• Date: Tue, 22 Jul 2008 07:50:57 +1200

July 21, 2008

W32/Sality.ah is a parasitic virus that infects Win32 PE executable
files.

Upon execution, it starts a service to listen on UDP Port 4564 and
create a copy of itself in the following path(s):

%Windir%\System32\Drivers\{random}.sys

It follows to create the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr 
HKEY_CURRENT_USER\Software\{%UserName%}914

It may also modify system configuration via the following registry
key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List 
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

(Where %UserName% is the Windows logged in user ID)

In an attempt to make recovery difficult for the victim, registry keys
in the following sub-tree are deleted and needs to be restored to the
original configuration if needed by the user:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\* 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

It may parasitically infect *.exe and *scr files on the local, network
and removable drives except for files containing the following string(s)
in the filename:

  * WINDOWS 
  * SYSTEM 
  * SYSTEM32

Sourced from:
http://www.esecurityplanet.com/alerts/article.php/3760101
More details at:
http://vil.nai.com/vil/content/v_147094.htm
-- 
John Durham
Site http://modecideas.com
Server hosted on Ubuntu 4.10
Good advice is like good paint. It only works when applied.



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription