Quisiera saber si tienen este virus reguistrado

Publicado por Shaoran Lee, Septiembre 19, 2008, 01:49:59 PM

Tema anterior - Siguiente tema

Shaoran Lee


Silaty.NAR

ya que me a infectado mi PC y siempre actualizo cada vez que me conecto a internet... ya que van varias veces que me lo va dejando pasar.


Red Mx

es necesaria una muestra , recuerde tambien que mx one es un complemento de seguridad y toda la responsabilidad cae en el tambien cae en su antivirus recidente.


Dominios, Hosting Y Desarrollo Web, con la calidad de LDC.

Shaoran Lee

pues la información que encontre es la siguiente:


Threat Encyclopaedia   Print this pageSend

Win32/Sality.NAR
Aliases:   Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee) 
Type of infiltration:   Virus
Size:   Variable
Affected platforms:   Windows
Signature database version:   3267 (20080714)
Short description:   Win32/Sality.NAR is a polymorphic file infector.



Installation
When executed the virus drops in folder %system%\drivers\ the following file:
%variable%.sys (5509 B)
%variable% stands for a random text.

The following files are dropped into the %temp% folder:
%variableA%.exe (7680 B)
%variableB%.exe (8192 B)
%variableA%, %variableB% stand for a random text. The files are then executed.


The virus registers itself as a system service using the following name:
IPFILTERDRIVER
The following Registry entries are created:
[HKEY_CURRENT_USER\Software\%username%914]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%filename%" = "%filename%:*:Enabled:ipsec"

The performed command creates an exception in the Windows Firewall program.

The following Registry entries are set:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = 0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = 0

The following Registry entries are deleted:
[HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]

Executable files infection
Win32/Sality.NAR is a polymorphic file infector. The virus searches local and network drives for files with one of the following extensions:
.exe
Files are infected by adding a new section that contains the virus. The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus infects files referenced by the following Registry entries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

This causes the virus to be executed on every system start.

Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
.exe

.pif

.cmd
The following file is dropped in the same folder:
autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information
The following files are deleted:
*.vdb

*.avc

*drw*.key
The following services are disabled:
Agnitum Client Security Service
ALG
aswUpdSv
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
Eset Service
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
fshttps
FSMA
InoRPC
InoRT
InoTask
ISSVC
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SmcService
SNDSrvc
SPBBCSvc
Symantec Core LC
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
AVP
The virus terminates processes with any of the following strings in the name:
_AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALMON.
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
AVZ.
ANTIVIR
ANTS.
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AUPDATE.
AUTODOWN.
AUTOTRACE.
AUTOUPDATE.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
AVGUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVAST
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BACKWEB-4476822.
BDMCON.
BDNEWS.
BDOESRV.
BDSS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CLAW95CF.
CLEANER.
CLEANER3.
CLISVC.
CMGRDIAN.
CUREIT
DEFWATCH.
DOORS.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FAST.
FCH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
F-PROT95.
FRESHCLAM.
EKRN.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
EGUI.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
KWATCH.
LOCKDOWN2000.
LOGWATNT.
LUALL.
LUCOMSERVER.
LUUPDATE.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NOD32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTXCONFIG.
NUPGRADE.
NVC95.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST.
PAV.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHM32.
QHONLINE.
QHONSVC.
QHPF.
QHWSCSVC.
RAVMON.
RAVTIMER.
REALMON.
REALMON95.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCAN32.
SCANNINGPROCESS.
CUREIT.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
AVAST
TDS-3.
TEATIMER.
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VIRUSKEEPER.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRADMIN.
WRCTRL.
XCOMMSVR.
ZATUTOR.
ZAUINST.
ZLCLIENT.
ZONEALARM.
The virus contains a list of URLs. It tries to download several files from the addresses.

These are stored in the following locations:
%temp%\win%variable%.exe

%temp%\%variable%.exe
%variable% stands for a random text. The files are then executed.

The virus creates and runs a new thread with its own program code within the following processes:
%system%\notepad.exe
%system%\winmine.exe

The virus modifies the following file:
SYSTEM.INI
The virus writes the following entries to the file:
[MCIDRV_VER]
DEVICEMB=%number%
The %number% stands for a random number.