Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > S

Threat Encyclopaedia

Print this pageSend

Win32/Sality.NAR

Aliases:Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee) 
Type of infiltration:Virus 
Size:variable 
Affected platforms:Microsoft Windows 
Signature database version:3267 (20080714) 

Short description
Win32/Sality.NAR is a polymorphic file infector.
Installation
When executed the virus drops in folder %system%\drivers\ the following file:
  • %variable%.sys (5509 B)
%variable% stands for a random text.

The following files are dropped into the %temp% folder:
  • %variableA%.exe (7680 B)
  • %variableB%.exe (8192 B)
%variableA%, %variableB% stand for a random text. The files are then executed.


The virus registers itself as a system service using the following name:
  • IPFILTERDRIVER
The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\%username%914]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%filename%" = "%filename%:*:Enabled:ipsec"
The performed command creates an exception in the Windows Firewall program.

The following Registry entries are set:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings]
    "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\policies\system]
    "EnableLUA" = 0
The following Registry entries are deleted:
  • [HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\
    Stats]
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Ext\Stats]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Ext\Stats]
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Browser Helper Objects]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects]
  • [HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot]
  • [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
    SafeBoot]
Executable files infection
Win32/Sality.NAR is a polymorphic file infector. The virus searches local and network drives for files with one of the following extensions:
  • .exe
Files are infected by adding a new section that contains the virus . The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus infects files referenced by the following Registry entries:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
This causes the virus to be executed on every system start.
Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
  • .exe
  • .pif
  • .cmd
The following file is dropped in the same folder:
  • autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The following files are deleted:
  • *.vdb
  • *.avc
  • *drw*.key
The following services are disabled:
  • Agnitum Client Security Service
  • ALG
  • aswUpdSv
  • avast! Antivirus
  • avast! Mail Scanner
more...
The virus terminates processes with any of the following strings in the name:
  • _AVPM.
  • A2GUARD.
  • AAVSHIELD.
  • AVAST
  • ADVCHK.
more...
The virus contains a list of URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %temp%\win%variable%.exe
  • %temp%\%variable%.exe
%variable% stands for a random text. The files are then executed.

The virus creates and runs a new thread with its own program code within the following processes:
  • %system%\notepad.exe
  • %system%\winmine.exe

The virus modifies the following file:
  • SYSTEM.INI
The virus writes the following entries to the file:
  • [MCIDRV_VER]
  • DEVICEMB=%number%
The %number% stands for a random number.