Sus/Sality-A

Categoria: File e comportamenti sospetti Opzioni di protezione ora disponibili:03 ott 2008 12:20:30 (GMT)
Tipo: Suspicious file Ultimo aggiornamento:01 giu 2012 20:06:21 (GMT)

Download Scaricate il nostro Virus Removal Tool: è gratis! - Scoprite le minacce che sono sfuggite al vostro antivirus

Summary

Files detected as Sus/Sality-A exhibit suspicious behavior.

Detailed analysis

Example behaviors of Sus/Sality-A follow:

Example 1

File Information

Size
13M
SHA-1
184b62208aa0160bbab7f80c3cff5852b42f5dc9
MD5
f7357cc5961f125c39b02427ff81f7ef
CRC-32
e0582e56
File type
application/x-ms-dos-executable
First seen
2010-07-24

Other vendor detection

Avira
W32/Sality.AC
Kaspersky
Virus.Win32.Sality.af

Runtime Analysis

Dropped Files
  • C:\Documents and Settings\support\Local Settings\Temp\winoqrl.exe
Modified Files
  • C:\bin\autorunsc.exe
  • C:\bin\harness.exe
  • C:\bin\snapshot.exe
  • %WINDOWS%\system.ini
  • C:\bin\_PX.exe
  • C:\bin\cApiSpy.exe
  • C:\bin\configuresav\configuresav.exe
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    GlobalUserOffline
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\abp470n5\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\sample.exe
    c:\sample.exe:*:Enabled:ipsec
  • HKLM\SYSTEM\CurrentControlSet\Services\abp470n5\Enum
    INITSTARTFAILED
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\abp470n5
    ErrorControl
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    EnableLUA
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc
    AntiVirusOverride
    0x00000001
  • HKCU\Software\Aryltuv\-2105228631
    -1566392142
    0500687474703A2F2F6D696B656576656E74732E676F2E726F2F696D616765732F6C6F676F735F732E67696600687474703A2F2F6161726F6E646173747275702E636F6D2F696D616765732F6C6F676F735F732E67696600687474703A2F2F61616E6E6137342E65752E696E74657269612E706C2F6C6F676F735F732E67696600687474703A2F2F7777772E656E657267657469786A6577656C72792E636F6D2F6C6F676F735F732E67696600687474703A2F2F797563656C6361766461722E636F6D2F6C6F676F735F732E676966
  • HKLM\SOFTWARE\Microsoft\Security Center
    UacDisableNotify
    0x00000001
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0x00000002
  • HKLM\SOFTWARE\Microsoft\Security Center
    AntiVirusOverride
    0x00000001
HTTP Requests
  • http://91.207.7.194/spm/s_tasks.php
  • http://aanna74.eu.interia.pl/logos_s.gif
  • http://aarondastrup.com/images/logos_s.gif
  • http://mikeevents.go.ro/images/logos_s.gif
  • http://www.energetixjewelry.com/logos_s.gif
  • http://yucelcavdar.com/logos_s.gif
IP Connections
  • 58.40.150.204:5517
  • 91.207.7.194:80
DNS Requests
  • aanna74.eu.interia.pl
  • aarondastrup.com
  • mikeevents.go.ro
  • www.energetixjewelry.com
  • yucelcavdar.com

Example 2

File Information

Size
91K
SHA-1
01572a83dc0eb03be41d56144933c61b482aa297
MD5
f366ce1fb0be65a6ce78deeae7d3ff13
CRC-32
f9418806
File type
application/x-ms-dos-executable
First seen
2010-07-01

Other vendor detection

Kaspersky
Virus.Win32.Sality.aa

Example 3

File Information

Size
324K
SHA-1
49843a332dcf9179266c551c24e1fcdc8d4addd5
MD5
8012f17258f44c756ceaeb2e5eb2b3ff
CRC-32
e60c32ad
File type
application/x-ms-dos-executable
First seen
2010-07-01

Other vendor detection

Kaspersky
Virus.Win32.Sality.aa

scarica Prova gratuita dei prodotti Sophos
Scarica subito