PE_SALITY.M
May 5th, 2008PE_SALITY.M can be downloaded from remote sites by other malware. It can also be downloaded unknowingly by a user when visiting malicious Web sites. It then executes the files. As a result, malicious routines of the files are executed on the affected system.
Profile
Malware type: File infector
Encrypted: No
Platforms: Windows 2000, Windows XP, Windows Server 2003
Installation
PE_SALITY.M is installed when a user visits a malicious website or it is dropped by other malware or it may be downloaded.
How it works
PE_SALITY.M adds the following lines to the SYSTEM.INI file:
[MCIDRV_VER]
DEVICEMB={Random numbers}
It creates the following registry keys and entries:
HKEY_CURRENT_USER\Software\{User Name}914
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = “0″HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\system
EnableLUA = “0″HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriverHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WMI_MFC_TPSHOKER_80
It also deletes the computer’s ability to boot into safe mode.
The virus infects files with .exe extensions and .scr extensions.
Download Method
The infector connects to the following URL’s and executes the following files causing infection:
* http://{BLOCKED}nfo.co.kr/tanga.gif
* http://{BLOCKED}u/img/logo4.gif
* http://{BLOCKED}_AVERI_SOSITE.infaa
* http://{BLOCKED}i3.info/tanga.gif
Effect on processes
The infector terminates all of the following processes if they are found to be running:
* aswUpdSv
* avast! Antivirus
* avast! Mail Scanner
* avast! Web Scanner
* AVP
* BackWeb Plug-in - 4476822
* bdss
* BGLiveSvc
* BlackICE
* CAISafe
* ccEvtMgr
* ccProxy
* ccSetMgr
* F-Prot Antivirus Update Monitor
* F-Secure Gatekeeper Handler Starter
* fsbwsys
* FSDFWD
* fshttps
* InoRPC
* InoRT
* InoTask
* ISSVC
* LavasoftFirewall
* LIVESRV
* McAfeeFramework
* McShield
* McTaskManager
* navapsvc
* NOD32krn
* NPFMntor
* NSCService
* Outpost Firewall main module
* OutpostFirewall
* PAVFIRES
* PAVFNSVR
* PavProt
* PavPrSrv
* PAVSRV
* PcCtlCom
* PersonalFirewal
* PREVSRV
* ProtoPort Firewall service
* PSIMSVC
* RapApp
* SmcService
* SNDSrvc
* SPBBCSvc
* Symantec Core LC
* Tmntsrv
* TmPfw
* tmproxy
* UmxAgent
* UmxCfg
* UmxLU
* UmxPol
* vsmon
* VSSERV
* WebrootDesktopFirewallDataService
* WebrootFirewall
* XCOMM
Other information
Registry subkeys may also be affected on the target system(s). If any of the following subkeys are found in your registry when you are infected, they will be deleted:
* _AVPM
* A2GUARD
* AAVSHIELD
* ADVCHK
* AHNSD
* AIRDEFENSE
* ALERTSVC
* ALMON
* ALOGSERV
* ALSVC
* AMON
* ANTI-TROJAN
* ANTIVIR
* ANTS
* APVXDWIN
* ARMOR2NET
* ASHAVAST
* ASHDISP
* ASHENHCD
* ASHMAISV
* ASHPOPWZ
* ASHSERV
* ASHSIMPL
* ASHSKPCK
* ASHWEBSV
* ASWUPDSV
* ATCON
* ATUPDATER
* ATWATCH
* AUPDATE
* AUTODOWN
* AUTOTRACE
* AUTOUPDATE
* AVAST
* AVCIMAN
* AVCONSOL
* AVENGINE
* AVGAMSVR
* AVGCC
* AVGCC32
* AVGCTRL
* AVGEMC
* AVGFWSRV
* AVGNT
* AVGNTDD
* AVGNTMGR
* AVGSERV
* AVGUARD
* AVGUPSVC
* AVINITNT
* AVKSERV
* AVKSERVICE
* AVKWCTL
* AVP32
* AVPCC
* AVPM
* AVPUPD
* AVSCHED32
* AVSYNMGR
* AVWUPD32
* AVWUPSRV
* AVXMONITOR9X
* AVXMONITORNT
* AVXQUAR
* BACKWEB-4476822
* BDMCON
* BDNEWS
* BDOESRV
* BDSS
* BDSUBMIT
* BDSWITCH
* BLACKD
* BLACKICE
* CAFIX
* CCAPP
* CCEVTMGR
* CCPROXY
* CCSETMGR
* CFIAUDIT
* CLAMTRAY
* CLAMWIN
* CLAW95
* CLAW95CF
* CLEANER
* CLEANER3
* CLISVC
* CMGRDIAN
* CUREIT
* DEFWATCH
* DOORS
* DRVIRUS
* DRWADINS
* DRWEB32W
* DRWEBSCD
* DRWEBUPW
* ESCANH95
* ESCANHNT
* EWIDOCTRL
* EZANTIVIRUSREGISTRATIONCHECK
* F-AGNT95
* F-PROT95
* F-SCHED
* F-STOPW
* FAMEH32
* FAST
* FCH32
* FILEMON
* FIRESVC
* FIRETRAY
* FIREWALL
* FPAVUPDM
* FRESHCLAM
* FSAV32
* FSAVGUI
* FSBWSYS
* FSDFWD
* FSGK32
* FSGK32ST
* FSGUIEXE
* FSM32
* FSMA32
* FSMB32
* FSPEX
* FSSM32
* GCASDTSERV
* GCASSERV
* GIANTANTISPYWAREMAIN
* GIANTANTISPYWAREUPDATER
* GUARDGUI
* GUARDNT
* HREGMON
* HRRES
* HSOCKPE
* HUPDATE
* IAMAPP
* IAMSERV
* ICLOAD95
* ICLOADNT
* ICMON
* ICSSUPPNT
* ICSUPP95
* ICSUPPNT
* IFACE
* INETUPD
* INOCIT
* INORPC
* INORT
* INOTASK
* INOUPTNG
* IOMON98
* ISAFE
* ISATRAY
* ISRV95
* ISSVC
* KAVMM
* KAVPF
* KAVPFW
* KAVSTART
* KAVSVC
* KAVSVCUI
* KMAILMON
* KPFWSVC
* KWATCH
* LOCKDOWN2000
* LOGWATNT
* LUALL
* LUCOMSERVER
* LUUPDATE
* MCAGENT
* MCMNHDLR
* MCREGWIZ
* MCUPDATE
* MCVSSHLD
* MINILOG
* MYAGTSVC
* MYAGTTRY
* NAVAPSVC
* NAVAPW32
* NAVLU32
* NAVW32
* NEOWATCHLOG
* NEOWATCHTRAY
* NISSERV
* NISUM
* NMAIN
* NOD32
* NORMIST
* NOTSTART
* NPAVTRAY
* NPFMNTOR
* NPFMSG
* NPROTECT
* NSCHED32
* NSMDTR
* NSSSERV
* NSSTRAY
* NTRTSCAN
* NTXCONFIG
* NUPGRADE
* NVC95
* NVCOD
* NVCTE
* NVCUT
* NWSERVICE
* OFCPFWSVC
* OUTPOST
* PAVFIRES
* PAVFNSVR
* PAVKRE
* PAVPROT
* PAVPROXY
* PAVPRSRV
* PAVSRV51
* PAVSS
* PCCGUIDE
* PCCIOMON
* PCCNTMON
* PCCPFW
* PCCTLCOM
* PCTAV
* PERSFW
* PERTSK
* PERVAC
* PNMSRV
* POP3TRAP
* POPROXY
* PREVSRV
* PSIMSVC
* QHM32
* QHONLINE
* QHONSVC
* QHPF
* QHWSCSVC
* RAVMON
* RAVTIMER
* REALMON
* REALMON95
* RFWMAIN
* RTVSCAN
* RTVSCN95
* RULAUNCH
* SAVADMINSERVICE
* SAVMAIN
* SAVPROGRESS
* SAVSCAN
* SCAN32
* SCANNINGPROCESS
* SDHELP
* SHSTAT
* SITECLI
* SPBBCSVC
* SPHINX
* SPIDERML
* SPIDERNT
* SPIDERUI
* SPYBOTSD
* SPYXX
* SS3EDIT
* STOPSIGNAV
* SWAGENT
* SWDOCTOR
* SWNETSUP
* SYMLCSVC
* SYMPROXYSVC
* SYMSPORT
* SYMWSC
* SYNMGR
* TAUMON
* TBMON
* TDS-3
* TEATIMER
* TFAK
* THAV
* THSM
* TMAS
* TMLISTEN
* TMNTSRV
* TMPFW
* TMPROXY
* TNBUTIL
* TRJSCAN
* UP2DATE
* VBA32ECM
* VBA32IFS
* VBA32LDR
* VBA32PP3
* VBSNTW
* VCHK
* VCRMON
* VETTRAY
* VIRUSKEEPER
* VPTRAY
* VRFWSVC
* VRMONNT
* VRMONSVC
* VRRW32
* VSECOMR
* VSHWIN32
* VSMON
* VSSERV
* VSSTAT
* WATCHDOG
* WEBPROXY
* WEBSCANX
* WEBTRAP
* WGFE95
* WINAW32
* WINROUTE
* WINSS
* WINSSNOTIFY
* WRADMIN
* WRCTRL
* XCOMMSVR
* ZATUTOR
* ZAUINST
* ZLCLIENT
* ZONEALARM
Threat Level: 
