Cyber Hacking

PE_SALITY.M can be downloaded from remote sites by other malware. It can also be downloaded unknowingly by a user when visiting malicious Web sites. It then executes the files. As a result, malicious routines of the files are executed on the affected system.

Profile

Malware type: File infector
Encrypted: No
Platforms: Windows 2000, Windows XP, Windows Server 2003

Installation

PE_SALITY.M is installed when a user visits a malicious website or it is dropped by other malware or it may be downloaded.

How it works

PE_SALITY.M adds the following lines to the SYSTEM.INI file:

[MCIDRV_VER]
DEVICEMB={Random numbers}

It creates the following registry keys and entries:

HKEY_CURRENT_USER\Software\{User Name}914

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = “0″

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\system
EnableLUA = “0″

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriver

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WMI_MFC_TPSHOKER_80

It also deletes the computer’s ability to boot into safe mode.

The virus infects files with .exe extensions and .scr extensions.

Download Method

The infector connects to the following URL’s and executes the following files causing infection:

* http://{BLOCKED}nfo.co.kr/tanga.gif
* http://{BLOCKED}u/img/logo4.gif
* http://{BLOCKED}_AVERI_SOSITE.infaa
* http://{BLOCKED}i3.info/tanga.gif

Effect on processes

The infector terminates all of the following processes if they are found to be running:

* aswUpdSv
* avast! Antivirus
* avast! Mail Scanner
* avast! Web Scanner
* AVP
* BackWeb Plug-in - 4476822
* bdss
* BGLiveSvc
* BlackICE
* CAISafe
* ccEvtMgr
* ccProxy
* ccSetMgr
* F-Prot Antivirus Update Monitor
* F-Secure Gatekeeper Handler Starter
* fsbwsys
* FSDFWD
* fshttps
* InoRPC
* InoRT
* InoTask
* ISSVC
* LavasoftFirewall
* LIVESRV
* McAfeeFramework
* McShield
* McTaskManager
* navapsvc
* NOD32krn
* NPFMntor
* NSCService
* Outpost Firewall main module
* OutpostFirewall
* PAVFIRES
* PAVFNSVR
* PavProt
* PavPrSrv
* PAVSRV
* PcCtlCom
* PersonalFirewal
* PREVSRV
* ProtoPort Firewall service
* PSIMSVC
* RapApp
* SmcService
* SNDSrvc
* SPBBCSvc
* Symantec Core LC
* Tmntsrv
* TmPfw
* tmproxy
* UmxAgent
* UmxCfg
* UmxLU
* UmxPol
* vsmon
* VSSERV
* WebrootDesktopFirewallDataService
* WebrootFirewall
* XCOMM

Other information

Registry subkeys may also be affected on the target system(s). If any of the following subkeys are found in your registry when you are infected, they will be deleted:

* _AVPM
* A2GUARD
* AAVSHIELD
* ADVCHK
* AHNSD
* AIRDEFENSE
* ALERTSVC
* ALMON
* ALOGSERV
* ALSVC
* AMON
* ANTI-TROJAN
* ANTIVIR
* ANTS
* APVXDWIN
* ARMOR2NET
* ASHAVAST
* ASHDISP
* ASHENHCD
* ASHMAISV
* ASHPOPWZ
* ASHSERV
* ASHSIMPL
* ASHSKPCK
* ASHWEBSV
* ASWUPDSV
* ATCON
* ATUPDATER
* ATWATCH
* AUPDATE
* AUTODOWN
* AUTOTRACE
* AUTOUPDATE
* AVAST
* AVCIMAN
* AVCONSOL
* AVENGINE
* AVGAMSVR
* AVGCC
* AVGCC32
* AVGCTRL
* AVGEMC
* AVGFWSRV
* AVGNT
* AVGNTDD
* AVGNTMGR
* AVGSERV
* AVGUARD
* AVGUPSVC
* AVINITNT
* AVKSERV
* AVKSERVICE
* AVKWCTL
* AVP32
* AVPCC
* AVPM
* AVPUPD
* AVSCHED32
* AVSYNMGR
* AVWUPD32
* AVWUPSRV
* AVXMONITOR9X
* AVXMONITORNT
* AVXQUAR
* BACKWEB-4476822
* BDMCON
* BDNEWS
* BDOESRV
* BDSS
* BDSUBMIT
* BDSWITCH
* BLACKD
* BLACKICE
* CAFIX
* CCAPP
* CCEVTMGR
* CCPROXY
* CCSETMGR
* CFIAUDIT
* CLAMTRAY
* CLAMWIN
* CLAW95
* CLAW95CF
* CLEANER
* CLEANER3
* CLISVC
* CMGRDIAN
* CUREIT
* DEFWATCH
* DOORS
* DRVIRUS
* DRWADINS
* DRWEB32W
* DRWEBSCD
* DRWEBUPW
* ESCANH95
* ESCANHNT
* EWIDOCTRL
* EZANTIVIRUSREGISTRATIONCHECK
* F-AGNT95
* F-PROT95
* F-SCHED
* F-STOPW
* FAMEH32
* FAST
* FCH32
* FILEMON
* FIRESVC
* FIRETRAY
* FIREWALL
* FPAVUPDM
* FRESHCLAM
* FSAV32
* FSAVGUI
* FSBWSYS
* FSDFWD
* FSGK32
* FSGK32ST
* FSGUIEXE
* FSM32
* FSMA32
* FSMB32
* FSPEX
* FSSM32
* GCASDTSERV
* GCASSERV
* GIANTANTISPYWAREMAIN
* GIANTANTISPYWAREUPDATER
* GUARDGUI
* GUARDNT
* HREGMON
* HRRES
* HSOCKPE
* HUPDATE
* IAMAPP
* IAMSERV
* ICLOAD95
* ICLOADNT
* ICMON
* ICSSUPPNT
* ICSUPP95
* ICSUPPNT
* IFACE
* INETUPD
* INOCIT
* INORPC
* INORT
* INOTASK
* INOUPTNG
* IOMON98
* ISAFE
* ISATRAY
* ISRV95
* ISSVC
* KAVMM
* KAVPF
* KAVPFW
* KAVSTART
* KAVSVC
* KAVSVCUI
* KMAILMON
* KPFWSVC
* KWATCH
* LOCKDOWN2000
* LOGWATNT
* LUALL
* LUCOMSERVER
* LUUPDATE
* MCAGENT
* MCMNHDLR
* MCREGWIZ
* MCUPDATE
* MCVSSHLD
* MINILOG
* MYAGTSVC
* MYAGTTRY
* NAVAPSVC
* NAVAPW32
* NAVLU32
* NAVW32
* NEOWATCHLOG
* NEOWATCHTRAY
* NISSERV
* NISUM
* NMAIN
* NOD32
* NORMIST
* NOTSTART
* NPAVTRAY
* NPFMNTOR
* NPFMSG
* NPROTECT
* NSCHED32
* NSMDTR
* NSSSERV
* NSSTRAY
* NTRTSCAN
* NTXCONFIG
* NUPGRADE
* NVC95
* NVCOD
* NVCTE
* NVCUT
* NWSERVICE
* OFCPFWSVC
* OUTPOST
* PAVFIRES
* PAVFNSVR
* PAVKRE
* PAVPROT
* PAVPROXY
* PAVPRSRV
* PAVSRV51
* PAVSS
* PCCGUIDE
* PCCIOMON
* PCCNTMON
* PCCPFW
* PCCTLCOM
* PCTAV
* PERSFW
* PERTSK
* PERVAC
* PNMSRV
* POP3TRAP
* POPROXY
* PREVSRV
* PSIMSVC
* QHM32
* QHONLINE
* QHONSVC
* QHPF
* QHWSCSVC
* RAVMON
* RAVTIMER
* REALMON
* REALMON95
* RFWMAIN
* RTVSCAN
* RTVSCN95
* RULAUNCH
* SAVADMINSERVICE
* SAVMAIN
* SAVPROGRESS
* SAVSCAN
* SCAN32
* SCANNINGPROCESS
* SDHELP
* SHSTAT
* SITECLI
* SPBBCSVC
* SPHINX
* SPIDERML
* SPIDERNT
* SPIDERUI
* SPYBOTSD
* SPYXX
* SS3EDIT
* STOPSIGNAV
* SWAGENT
* SWDOCTOR
* SWNETSUP
* SYMLCSVC
* SYMPROXYSVC
* SYMSPORT
* SYMWSC
* SYNMGR
* TAUMON
* TBMON
* TDS-3
* TEATIMER
* TFAK
* THAV
* THSM
* TMAS
* TMLISTEN
* TMNTSRV
* TMPFW
* TMPROXY
* TNBUTIL
* TRJSCAN
* UP2DATE
* VBA32ECM
* VBA32IFS
* VBA32LDR
* VBA32PP3
* VBSNTW
* VCHK
* VCRMON
* VETTRAY
* VIRUSKEEPER
* VPTRAY
* VRFWSVC
* VRMONNT
* VRMONSVC
* VRRW32
* VSECOMR
* VSHWIN32
* VSMON
* VSSERV
* VSSTAT
* WATCHDOG
* WEBPROXY
* WEBSCANX
* WEBTRAP
* WGFE95
* WINAW32
* WINROUTE
* WINSS
* WINSSNOTIFY
* WRADMIN
* WRCTRL
* XCOMMSVR
* ZATUTOR
* ZAUINST
* ZLCLIENT
* ZONEALARM

Threat Level:

This entry was posted on Monday, May 5th, 2008 at 7:43 pm and is filed under Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.