Sality gets upgrade

Sality is a family of polymorphic memory resident Win32 parasitic viruses with driver component. First discovered many years ago, the virus is still found in the wild, although antiviruses detect known variants and prevent infection, the real problem is new emerging upgraded variants.

The parasitic viruses are especially harmful because unlike Trojans, they infect many user’s files, so all these files must be cured. The cure is not always possible because the viruses sometimes infect incorrectly causing file corruption, which is the case also with Sality. Then the only option is to reinstall infected programs. This affects the computer that becomes inoperable for long time.

Additionally, Sality is a memory resident virus. This means that viral code runs not only in infected file ,but also in threads injected into many processes. It is not enough to kill infected the process, but need also to stop injected threads.This should be done fast and repeatedly because the virus re-infects the memory and
a process that was just cured could become re-infected again. The memory cure can be performed using memory cleaning utility. Another option is to boot from clean media or from network to avoid virus from running in memory, and then to cure files, obviously this requires stopping infected computer operation.

Recently new variant was found. This variant is detected by the older detection of Win32/Sality.AA using generic routine that was upgraded for the new variant.

This variant uses  upgraded version of polymorphic engine called “Simple Poly Engine v1.2a (c) sector” ; previous variants used version v1.1a.To understand the difference, consider the structure of the virus. The virus ,depending on variant, either creates additional section at end of file ,or expands the last section, and puts its encrypted body to end of file. This variant always expands existing last section. Then a code at entry point is overwritten with polymorphic loader that transfers the control to the virus. The loader is intended to be very obfuscated to avoid detection. What’s new in this variant is that a Call or Jump near (E8 or E9) commands can be used to jump to virus body, in addition to methods used in previous variants. In older variants less common and more virus specific command sequences were used. Additionally,the virus uses meaningless import function calls always with argument 0, for example:

mov eax,0

push eax

call CloseHandle

In the recent variant assignment 0 to register used is done with more obfuscated ways.

The subsequent work of the worm is not essentially different from other variants, only names used and some details differ.

The worm infects memory and then begins to infect files slowly, not more than 20 files at once.

Replicates in the network by dropping infected files to the root of all drives, including hard drive C:, a specially crafted file displaying content of the drive root folder, and infected with the virus. Also Autorun.inf referring this file is created to make the system run it every time.

The virus creates mutex named ‘purity_control_4428’ and ‘kukutrusted!’ to verify whether it is running.

URLs used by the virus (some digits removed):

http://89.???.???.???/testo5

http://kukutrustnet???.info/home.gif

http://www.klkjwre?????eluoi.info

Creates driver named amsint32.sys that monitors network and  prevents antivirus updates.

The virus looks for number of antivirus and monitoring programs, including Total Defense AV and tries to kill them.