Win32.Sality removal tool

Win32.Sality also known as TROJ_AGENT.XOO [Trend], W32/Sality.ae [McAfee], Sality.AG [Panda Software], Win32/Sality.Z [Computer Associates], Win32/Sality.AA [Computer Associates], W32/Sality.AA [F-Secure].

When the virus is executed, it copies itself as the following file:
%System%\drivers\[RANDOM NAME].sys

The virus creates the following mutex so only one instance of the virus is running:
Op1mutx9

It then creates the following registry subkeys:

* HKEY_CURRENT_USER\Software\[USER NAME]914
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER


It then creates the following registry entry so that it bypasses the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"

It modifies the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"


The virus also deletes entries under the following registry subkeys:

* HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects


It then registers itself as a new service with the following characteristics:
Service Name: WMI_MFC_TPSHOKER_80
Display Name: WMI_MFC_TPSHOKER_80
Startup Type: Automatic

It then deletes the following file:
%System%\drivers\[RANDOM NAME].sys

It infects all executable files listed under the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

It infects all .exe executable files listed under the following registry subkeys:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


It also infects all .exe and .scr files on the C drive and on any writable network resource, except the files on any folder with the following strings:

* SYSTEM
* AHEAD

It adds the following entry to %Windir%\system.ini:
[MCIDRV_VER]

It then copies itself to attached removable drives using the following filenames:
%DriveLetter%:\[RANDOM NAME].exe
%DriveLetter%:\[RANDOM NAME].cmd
%DriveLetter%:\[RANDOM NAME].pif

The following file is created on attached removable drives so that the threat runs whenever the drive is connected to a computer:
%DriveLetter%:\autorun.inf

By using Symantec W32.Sality.AE Removal Tool, Win32.Sality completely removed from your computer & fix all registry key.


You can download W32.Sality.AE Removal Tool from here.
by aM on January 29, 2010

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
My Life Diary Since 2008
aMScRipTs
All other trademarks/contents/video/images/logo/lyrics are the property of their respective owners