Jetmen Revival downloads Forum Index
RegisterSearchFAQMemberlistUsergroupsGalleriesLog in
W32Sality Anti Virus

 
Reply to topic    Jetmen Revival downloads Forum Index » Links View previous topic
View next topic
W32Sality Anti Virus
Author Message
02132Hdef
Forum Master
Forum Master



Joined: 13 Feb 2011
Posts: 69
Read: 0 topics

Location: England

Post W32Sality Anti Virus
.Sality commonly known as Sality Virus is a malware agenda which infects exe and scr files thereby spreading as many times the host is executed. This virus also includes an auto run component, as a result of which,[link widoczny dla zalogowanych], it spreads to anybody removable media. Moreover this comes with a downloader Trojan component,[link widoczny dla zalogowanych], which downloads and installs more malware when interlocked to the network.
This virus first arose in 2003 in Russia. During that time, Sality was a tiny file infector, which used to prefix its viral code to a host and had back door and key recording facilities. Now it has improvised a lot with more additional features, which has made it more disadvantageous and perilous. However, Sality’s signature has remained the same. Get to understand approximately the virus in elaborate, get some technical support.
The Characteristics
Symantech.com has nicely explained the functions of this virus. The payload escapes scampers 5 distinct components in divide threads.
The premier component is a process injector. All processes besides those belonging to the consumers “local service”,[link widoczny dla zalogowanych], “network service”, or “system”, ambition be injected with a copy of Sality to make sure the malware stays running.
The second component is responsible for lowering or disabling the general security of the system. Security-related processes and services are stopped, including numerous antivirus and private firewall products. The registry is modified and SafeBoot key entries are deleted. Components such as registry editing with the Windows regedit.exe tool or Task Manager Creation are maimed. Firewall rules are joined to let Sality way the network.
Sality also dew a nucleus driver to a dynamically generated place in %System%\drivers and creates a service labeled “amsint32”. This driver is a rootkit, in dictate of 2 things. First, it ends processes when a regular call to TerminateProcess() fails. In fact, the rootkit is able to run dynamic code on to a target process. However,Leading Warwick Podiatrists Eager To Provide Podia, this code, at present, merely pertains to process termination.
The second feature is more interesting: the driver sets up an IpFilter callback function to process web packets. Ipfltdrv.sys is a criterion Windows driver that can be loaded by starting the IpFilterDriver service. Kernel drivers can set a callback function to be phoned by IpFilter every time an IP pouch works in or out. The callback can determine to drop the parcel. In a few words, IpFilter is a very linear access to build a uncomplicated Windows firewall. Sality uses the IpFilter to drip every IP packet embodying words that belong to an encrypted list of strings that make up security vendor’s URLs. The user-mode process can also instruct the driver to drip SMTP packets, blocking orthodox email interchange.
The third component is the infector itself. Sality is capable to infect files on regional drives for well as Windows shares. It also infects files referenced in the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache registry opener, which references the most often-used executables on the system, as well as .exe files situated in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Note here that, the infection customary is effective ample to retard that a document is no defended at the Windows document conservation machinery (SFC) ahead attempting to infect it.
Let’s push above apt the fourth component: the downloader. Downloading and executing additional malware alternatively security hazards is the chief target of Sality. A compromised host carries with it a menu of HTTP URLs namely point to resources to be downloaded, decrypted, and executed. These URLs can also point to extra URLs. The encryption secondhand here is RC4,[link widoczny dla zalogowanych], with static keys embedded in the compromised host. Now the question is, how are the URLs updated in circumstance some of them obtain blocked, or more simply, whether the malware gang decides to make Sality download other components?
The question is given by the fifth and ultimate compon


The post has been approved 0 times
Fri 13:53, 06 May 2011 View user's profile
Display posts from previous:    
Reply to topic    Jetmen Revival downloads Forum Index » Links All times are GMT + 2 Hours
Page 1 of 1

 
Jump to: 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


fora.pl - załóż własne forum dyskusyjne za darmo
Powered by phpBB © 2001, 2005 phpBB Group
Design by Freestyle XL / Music Lyrics.
Regulamin