W32.Sality.AE

posted under by Unknown

Begin of the article W32.Sality.AE removal process


1. DownloadGoogle recommend safer browser Web browser, For more safe, Stay Secure on the Web and stay far away virus, Download URL http://www.oral8.net/firefox/firefox.htm
2. Temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions. Reboot computer in Safe Mode
4. Run a full system scan and clean/delete all W32.Sality.AE infected files and Delete/Modify any values added to the registry.
Navigate to the sub key and delete the values as following:

When the virus is executed, it copies itself as the following file:
%System%\drivers\[RANDOM FILE NAME].sys

The virus creates the following mutex so only one instance of the virus is running:
Op1mutx9

It then creates the following registry sub keys:

  • HKEY_CURRENT_USER\Software\[USER NAME]914
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER


It then creates the following registry entry so that it bypasses the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"

It modifies the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"


The virus also deletes entries in the following registry sub keys:

  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects


It then registers itself as a new service with the following characteristics:
Service Name: WMI_MFC_TPSHOKER_80
Display Name: WMI_MFC_TPSHOKER_80
Startup Type: Automatic

It then deletes itself.

It stops the following services:

  • ALG
  • aswUpdSv
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • BackWeb Plug-in - 4476822
  • bdss
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • fshttps
  • FSMA
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KPF4
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • Tmntsrv
  • TmPfw
  • tmproxy
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM
  • AVP


It infects all executable files listed in the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

It infects all .exe executable files listed in the following registry subkeys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


It also infects all .exe and .scr files on the C drive and on any writable network resource, except the files on any folder with the following strings:

  • SYSTEM
  • AHEAD


The infected file size will increase 57,344 bytes.

It deletes any file whose name contains any of the following strings:

  • .VDB
  • .AVC
  • .KEY
  • drw
  • _AVPM
  • A2GUARD
  • AAVSHIELD
  • AVAST
  • ADVCHK
  • AHNSD
  • AIRDEFENSE
  • ALERTSVC
  • ALMON
  • ALOGSERV
  • ALSVC
  • AMON
  • ANTI-TROJAN
  • AVZ
  • ANTIVIR
  • ANTS
  • APVXDWIN
  • ARMOR2NET
  • ASHAVAST
  • ASHDISP
  • ASHENHCD
  • ASHMAISV
  • ASHPOPWZ
  • ASHSERV
  • ASHSIMPL
  • ASHSKPCK
  • ASHWEBSV
  • ASWUPDSV
  • ATCON
  • ATUPDATER
  • ATWATCH
  • AUPDATE
  • AUTODOWN
  • AUTOTRACE
  • AUTOUPDATE
  • AVCIMAN
  • AVCONSOL
  • AVENGINE
  • AVGAMSVR
  • AVGCC
  • AVGCC32
  • AVGCTRL
  • AVGEMC
  • AVGFWSRV
  • AVGNT
  • AVGNTDD
  • AVGNTMGR
  • AVGSERV
  • AVGUARD
  • AVGUPSVC
  • AVINITNT
  • AVKSERV
  • AVKSERVICE
  • AVKWCTL
  • AVP
  • AVP32
  • AVPCC
  • AVPM
  • AVPUPD
  • AVSCHED32
  • AVSYNMGR
  • AVWUPD32
  • AVWUPSRV
  • AVXMONITOR9X
  • AVXMONITORNT
  • AVXQUAR
  • BACKWEB-4476822
  • BDMCON
  • BDNEWS
  • BDOESRV
  • BDSS
  • BDSUBMIT
  • BDSWITCH
  • BLACKD
  • BLACKICE
  • CAFIX
  • CCAPP
  • CCEVTMGR
  • CCPROXY
  • CCSETMGR
  • CFIAUDIT
  • CLAMTRAY
  • CLAMWIN
  • CLAW95
  • CLAW95CF
  • CLEANER
  • CLEANER3
  • CLISVC
  • CMGRDIAN
  • CUREIT
  • DEFWATCH
  • DOORS
  • DRVIRUS
  • DRWADINS
  • DRWEB32W
  • DRWEBSCD
  • DRWEBUPW
  • ESCANH95
  • ESCANHNT
  • EWIDOCTRL
  • EZANTIVIRUSREGISTRATIONCHECK
  • F-AGNT95
  • FAMEH32
  • FAST
  • FCH32
  • FILEMON
  • FIRESVC
  • FIRETRAY
  • FIREWALL
  • FPAVUPDM
  • F-PROT95
  • FRESHCLAM
  • FRW
  • FSAV32
  • FSAVGUI
  • FSBWSYS
  • F-SCHED
  • FSDFWD
  • FSGK32
  • FSGK32ST
  • FSGUIEXE
  • FSM32
  • FSMA32
  • FSMB32
  • FSPEX.
  • FSSM32
  • F-STOPW
  • GCASDTSERV
  • GCASSERV
  • GIANTANTISPYWAREMAIN
  • GIANTANTISPYWAREUPDATER
  • GUARDGUI
  • GUARDNT
  • HREGMON
  • HRRES
  • HSOCKPE
  • HUPDATE
  • IAMAPP
  • IAMSERV
  • ICLOAD95
  • ICLOADNT
  • ICMON
  • ICSSUPPNT
  • ICSUPP95
  • ICSUPPNT
  • IFACE
  • INETUPD
  • INOCIT
  • INORPC
  • INORT
  • INOTASK
  • INOUPTNG
  • IOMON98
  • ISAFE
  • ISATRAY
  • ISRV95
  • ISSVC
  • KAV
  • KAVMM
  • KAVPF
  • KAVPFW
  • KAVSTART
  • KAVSVC
  • KAVSVCUI
  • KMAILMON
  • KPFWSVC
  • KWATCH
  • LOCKDOWN2000
  • LOGWATNT
  • LUALL
  • LUCOMSERVER
  • LUUPDATE
  • MCAGENT
  • MCMNHDLR
  • MCREGWIZ
  • MCUPDATE
  • MCVSSHLD
  • MINILOG
  • MYAGTSVC
  • MYAGTTRY
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVW32
  • NOD32
  • NEOWATCHLOG
  • NEOWATCHTRAY
  • NISSERV
  • NISUM
  • NMAIN
  • NOD32
  • NORMIST
  • NOTSTART
  • NPAVTRAY
  • NPFMNTOR
  • NPFMSG
  • NPROTECT
  • NSCHED32
  • NSMDTR
  • NSSSERV
  • NSSTRAY
  • NTRTSCAN
  • NTXCONFIG
  • NUPGRADE
  • NVC95
  • NVCOD
  • NVCTE
  • NVCUT
  • NWSERVICE
  • OFCPFWSVC
  • OUTPOST
  • PAV
  • PAVFIRES
  • PAVFNSVR
  • PAVKRE
  • PAVPROT
  • PAVPROXY
  • PAVPRSRV
  • PAVSRV51
  • PAVSS
  • PCCGUIDE
  • PCCIOMON
  • PCCNTMON
  • PCCPFW
  • PCCTLCOM
  • PCTAV
  • PERSFW
  • PERTSK
  • PERVAC
  • PNMSRV
  • POP3TRAP
  • POPROXY
  • PREVSRV
  • PSIMSVC
  • QHM32
  • QHONLINE
  • QHONSVC
  • QHPF
  • QHWSCSVC
  • RAVMON
  • RAVTIMER
  • REALMON
  • REALMON95
  • RFWMAIN
  • RTVSCAN
  • RTVSCN95
  • RULAUNCH
  • SAVADMINSERVICE
  • SAVMAIN
  • SAVPROGRESS
  • SAVSCAN
  • SCAN32
  • SCANNINGPROCESS
  • CUREIT
  • SDHELP
  • SHSTAT
  • SITECLI
  • SPBBCSVC
  • SPHINX
  • SPIDERML
  • SPIDERNT
  • SPIDERUI
  • SPYBOTSD
  • SPYXX
  • SS3EDIT
  • STOPSIGNAV
  • SWAGENT
  • SWDOCTOR
  • SWNETSUP
  • SYMLCSVC
  • SYMPROXYSVC
  • SYMSPORT
  • SYMWSC
  • SYNMGR
  • TAUMON
  • TBMON
  • TC
  • TCA
  • TCM
  • TDS-3
  • TEATIMER
  • TFAK
  • THAV
  • THSM
  • TMAS
  • TMLISTEN
  • TMNTSRV
  • TMPFW
  • TMPROXY
  • TNBUTIL
  • TRJSCAN
  • UP2DATE
  • VBA32ECM
  • VBA32IFS
  • VBA32LDR
  • VBA32PP3
  • VBSNTW
  • VCHK
  • VCRMON
  • VETTRAY
  • VIRUSKEEPER
  • VPTRAY
  • VRFWSVC
  • VRMONNT
  • VRMONSVC
  • VRRW32
  • VSECOMR
  • VSHWIN32
  • VSMON
  • VSSERV
  • VSSTAT
  • WATCHDOG
  • WEBPROXY
  • WEBSCANX
  • WEBTRAP
  • WGFE95
  • WINAW32
  • WINROUTE
  • WINSS
  • WINSSNOTIFY
  • WRADMIN
  • WRCTRL
  • XCOMMSVR
  • ZATUTOR
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM


It connects to the following URLs to get instructions. The instructions contain additional URLs to possibly download other malicious files:

  • [http://]pedmeo222nb.info
  • [http://]pzrk.ru
  • [http://]technican.w.interia.pl
  • [http://]www.kjwre9fqwieluoi.info
  • [http://]bpowqbvcfds677.info
  • [http://]bmakemegood24.com
  • [http://]bperfectchoice1.com
  • [http://]bcash-ddt.net
  • [http://]bddr-cash.net
  • [http://]btrn-cash.net
  • [http://]bmoney-frn.net
  • [http://]bclr-cash.net
  • [http://]bxxxl-cash.net
  • [http://]balsfhkewo7i487fksd.info
  • [http://]buynvf96.info


It prevents access to various security-related domains containing any of the following strings:

  • Cureit
  • Drweb
  • Onlinescan
  • Spywareinfo
  • Ewido
  • Virusscan
  • Windowsecurity
  • Spywareguide
  • Bitdefender
  • Panda software
  • Agnmitum
  • Virustotal
  • Sophos
  • Trend Micro
  • Etrust.com
  • Symantec
  • McAfee
  • F-Secure
  • Eset.com
  • Kaspersky


It then adds following entry to %Windir%\system.ini:
[MCIDRV_VER]

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

5. Exit registry editor.
6. Delete the IE temp files or you may download ATF temp files cleaner to run a full cleaning. And restart the computer.
8. Now you may remove W32.Sality.AE successfully.

9. After remove the virus, please try to install antivirus like Avira Antivirus. And then run full scanning for your computer. It might delete a lot of application exe file, just let it delete. Once it delete done these mean your pc is clean. Then you have to reinstall the application that deleted by antivirus again to make all application functioning.

0 赐教

Make A Comment
Subscribe to: Post Comments (Atom)
top

自传

Unknown
View my complete profile
© 小猪秘籍 - Web 2.0 Blogger Template Dark by Jack Book and Dezinerfolio