Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Virus Information Pages: Sality.Q
[Summary] | [Disinfection] | [Detailed Description] | [Detection]

Name : Sality.Q
Alias:Virus.Win32.Sality.q, W32.Sality.Q-2, W32/Sality.T, PE_SALITY.AS, W32/Sality-AA, Worm/PoeBot.81408.A, W32/Sality.x.dll, Win32/Sality.NAJ, W32.HLLP.Sality
Size:20480 Bytes
Type:Virus
Category:Virus
Date of Discovery:August 14, 2006
Radar

Summary
Sality.Q is an appending polymorphic file infector that uses an entry point obscuring technique. Unlike other file infectors that modify the entry point of the host file to point to the virus code, Sality.Q replaces 122 bytes from the beginning code of the host file with its decryption routine and hides it in its code. It stores the original code 1,422 bytes away from the start of the last section.
Back to the Top

Disinfection

Automatic Disinfection

Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:

http://www.f-secure.com/download-purchase/tools.shtml

ftp://ftp.f-secure.com/anti-virus/tools/

F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:

http://www.f-secure.com/download-purchase/

All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:

http://www.f-secure.com/download-purchase/updates.shtml

Manual Disinfection

It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.

System Restore issue and file viruses

If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:

Windows ME:

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:

http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.
Back to the Top

Detailed Description
When the infected executable file has been run, it will drop the following .dll components:

  • %windir%\system32\vcmgcd32.dll
  • %windir%\system32\vcmgcd32.dl_


It will then load the vcmgcd32.dll file, which contains the malicious routine. After successfully installing its components, it will then execute the original host file's code to prevent the user from suspecting infection.


It creates the following mutexes to make sure that only one instance of its .dll component is running in memory:

  • KUKU300a
  • KUKU301a
  • _kuku_joker_v3.09_


It can infect any of the following extensions by searching for files starting from "C:\":

  • .exe
  • .scr


It also infects files with .EXE extensions that are referenced as data in the following registry keys:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\run]
  • [HLKM\Software\Microsoft\Windows\CurrentVersion\run]


Sality.Q appends itself by creating a new section with a section name of "{random characters}data" and has a size of 20480 Bytes.


It also tries to delete files and processes related to some antivirus products.


It deletes files that it finds with any of the following extensions:

  • .avc
  • .key
  • .vdb


Moreover it also deletes files with filenames that starts with any of the following strings:

  • ALER
  • ANDA
  • ANTI
  • AVP
  • BIDEF
  • CLEAN
  • GUAR
  • KAV
  • NOD
  • OUTP
  • SCAN
  • TREN
  • TROJ
  • ZONE


It may also kill processes that starts with the following strings:

  • ANTI
  • ATGUARD
  • AUTOTRACE
  • AVGSERV
  • AVLTMAIN
  • AVP
  • AVPROTECT
  • AVSYNMGR
  • AVXQUAR
  • BIDEF
  • BIDSERVER
  • BIPCP
  • BLACKICE
  • CLEANER
  • DRWATSON
  • DRWEB
  • DRWTSN32
  • ESCANH
  • ICSSUPPNT
  • ICSUPP
  • KAV
  • LOCKDOWN
  • MCAGENT
  • MCUPDATE
  • MGUI
  • NAV
  • NMAIN
  • NOD32
  • NPFMESSENGER
  • NPROTECT
  • NUPGRADE
  • OUTPOST
  • PERISCOPE
  • PINGSCAN
  • PORTDETECTIVE
  • PROTECTX
  • RTVSCAN
  • SAVSCAN
  • TRJSCAN
  • VSMAIN
  • ZONEALARM


It checks for an Internet connection by querying:

  • www.microsoft.com


It then attempts to connect to the following URLs:

  • www.f5ds1jkkk4d.info
  • www.g1ikdcvns3sdsal.info
  • www.h7smcnrwlsdn34fgv.info
  • www.hkukud123ncs.info
  • www.inform1ongung.info
  • www.kukutrustnet.org
  • www.kukutrustnet7.com
  • www.kukutrustnet7.info
  • www.lukki6nd2kdnc.info


It also modifies %windir%\SYSTEM.INI by adding a section called MCIDRV_VER with key DEVICE and putting a random value inside it.

Example:

  • [MCIDRV_VER]
    DEVICE=566828orapm40409

The .DLL component can steal cached passwords and also has key logging capabilities. It is injected in all running processes.
Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2006-08-14_04.
Back to the Top



F-Secure Corporation

Last Modified: August 25, 2006