Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 1

Sality gets upgrade

Sality is a family of polymorphic memory resident Win32 parasitic viruses with driver component. First

discovered many years ago, the virus is still found in the wild, although antiviruses detect known

variants and prevent infection, the real problem is new emerging upgraded variants.

The parasitic viruses are especially harmful because unlike Trojans, they infect many user's files, so all

these files must be cured. The cure is not always possible because the viruses sometimes infect

incorrectly causing file corruption, which is the case also with Sality. Then the only option is to

reinstall infected programs. This affects the computer that becomes inoperable for long time.

Additionally, Sality is a memory resident virus. This means that viral code runs not only in infected file

,but also in threads injected into many processes. It is not enough to kill infected the process, but need

also to stop injected threads.This should be done fast and repeatedly because the virus re-infects the

memory and a process that was just cured could become re-infected again. The memory cure can be

performed using memory cleaning utility. Another option is to boot from clean media or from network

to avoid virus from running in memory, and then to cure files, obviously this requires stopping infected

computer operation.

Recently new variant was found. This variant is detected by the older detection of Win32/Sality.AA

using generic routine that was upgraded for the new variant.

Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 2

This variant uses upgraded version of polymorphic engine called "Simple Poly Engine v1.2a (c) sector" ;

previous variants used version v1.1a.To understand the difference, consider the structure of the virus.

The virus ,depending on variant, either creates additional section at end of file ,or expands the last

section, and puts its encrypted body to end of file. This variant always expands existing last section.

Then a code at entry point is overwritten with polymorphic loader that transfers the control to the

virus. The loader is intended to be very obfuscated to avoid detection. What's new in this variant is

that a Call or Jump near (E8 or E9) commands can be used to jump to virus body, in addition to

methods used in previous variants. In older variants less common and more virus specific command

sequences were used. Additionally,the virus uses meaningless import function calls always with

argument 0, for example:

mov eax,0

push eax

call CloseHandle

In the recent variant assignment 0 to register used is done with more obfuscated ways.

The subsequent work of the worm is not essentially different from other variants, only names used and

some details differ.

The worm infects memory and then begins to infect files slowly, not more than 20 files at once.

Replicates in the network by dropping infected files to the root of all drives, including hard drive C:, a

specially crafted file displaying content of the drive root folder, and infected with the virus. Also

Autorun.inf referring this file is created to make the system run it every time.

The virus creates mutex named ‘purity_control_4428’ and ‘kukutrusted!’ to verify whether it is

running.

Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 3

URLs used by the virus (some digits removed):

http://89.???.???.???/testo5

http://kukutrustnet???.info/home.gif

http://www.klkjwre?????eluoi.info

Creates driver named amsint32.sys that monitors network and prevents antivirus updates.

The virus looks for number of antivirus and monitoring programs, including Total Defense AV and tries

to kill them.

About TotalDefense:

Total Defense(@Total_Defense) is a global leader in malware detection and anti-crimeware solutions. We offer a broad portfolio of leading security products for the consumer market used by over four million consumers worldwide. Our solutions also include the industry’s first complete cloud security platform, providing fully integrated endpoint, web and email security through a single Web-based management console with a single set of enforceable security policies

Total Defense is a former business of CA Technologies, one of the largest software companies in the world, and has operations in New York, California, Europe, Israel and Asia.

Visit http://www.totaldefense.com/ for web, cloud & mobile security solutions for home users and businesses.