When the virus is executed, it copies itself as the following file:
%System%\drivers\[RANDOM NAME].sys
The virus creates the following mutex so only one instance of the virus is running:
Op1mutx9
It then creates the following registry subkeys:
* HKEY_CURRENT_USER\Software\[USER NAME]914
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
It then creates the following registry entry so that it bypasses the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"
It modifies the following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
The virus also deletes entries under the following registry subkeys:
* HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
It then registers itself as a new service with the following characteristics:
Service Name: WMI_MFC_TPSHOKER_80
Display Name: WMI_MFC_TPSHOKER_80
Startup Type: Automatic
It then deletes the following file:
%System%\drivers\[RANDOM NAME].sys
It infects all executable files listed under the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
It infects all .exe executable files listed under the following registry subkeys:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also infects all .exe and .scr files on the C drive and on any writable network resource, except the files on any folder with the following strings:
* SYSTEM
* AHEAD
It adds the following entry to %Windir%\system.ini:
[MCIDRV_VER]
It then copies itself to attached removable drives using the following filenames:
%DriveLetter%:\[RANDOM NAME].exe
%DriveLetter%:\[RANDOM NAME].cmd
%DriveLetter%:\[RANDOM NAME].pif
The following file is created on attached removable drives so that the threat runs whenever the drive is connected to a computer:
%DriveLetter%:\autorun.inf
By using Symantec W32.Sality.AE Removal Tool, Win32.Sality completely removed from your computer & fix all registry key.
You can download W32.Sality.AE Removal Tool from here.
No comments:
Post a Comment