A new version of Sality at large

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

A new version of Sality at large

Postby Spudz » Wed Mar 31, 2010 12:46 pm

A new version of Sality at large
March 31, 2010 | 11:29 GMT
Vyacheslav Zakorzhevsky

Last Friday, Kaspersky Lab’s experts detected a new variant of Sality.aa, which is at present the most popular polymorphic virus. Sality.aa last mutated about a year ago, and the change was not too dramatic. However, within the last two years this virus has remained one of the TOP-5 malicious programs most often detected on users’ computers. Sality’s previous variants were not as popular. After Sality.aa, a new version called Sality.ae came out, which used the EPO infection technique. However, it failed to gain any ground with cybercriminals as it used a simple decrypting algorithm and an inefficient infection technique. All subsequent versions of the malicious program failed to win popularity as well due to their very simple decrypting algorithms.

The newly discovered variant was dubbed Sality.ag. Why so much interested in this one? It contains a fundamentally new decryption algorithm and a host of ‘advanced features’. As we see it, the new variant has every chance of replacing the older Sality.aa version and is likely to become very popular.

Due to its functional capabilities, this virus should be classified as a backdoor. Once within a system, the first thing that Sality.ag does is to install its DLL and a driver to filter the Internet traffic. The DLL is used to repel any types of security software and firewalls.

Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.


Continues at Viruslist
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest