SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Sality.TN
Sality.TN is a polymorphic file infector virus that target Microsoft Windows operating systems. It is known to infect files with .exe and .scr extensions on local drives, removable media, and network shares. Sality infected systems communicates with the Command and Control server over a P2P network.

      Process Related Changes
      It creates the following mutex(es):
      • rundll32.exeM_1984_"
      • ctfmon.exeM_2012_"
      • 004457749ec1a2ea02c238a0f26f35e5.exeM_1588_"
      • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • alg.exeM_1492_"
      • smss.exeM_388_"
      • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • svchost.exeM_1148_"
      • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • services.exeM_896_"
      • c:!documents and settings!admin!cookies!"
      • explorer.exeM_1852_"
      • tlntsrv.exeM_312_"
      • c:!documents and settings!admin!local settings!history!history.ie5!"
      • Ap1mutx7"
      • winlogon.exeM_588_"
      • wmiprvse.exeM_852_"
      • svchost.exeM_1336_"
      • WininetConnectionMutex"
      • csrss.exeM_564_"
      • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
      • spoolsv.exeM_1704_"
      • svchost.exeM_128_"
      • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • reader_sl.exeM_1988_"
      • svchost.exeM_1272_"
      • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • jqs.exeM_244_"
      • Shell.CMruPidlList"
      • MSCTF.Shared.MUTEX.AOH"
      • svchost.exeM_1068_"
      • uxJLpe1m"
      • lsass.exeM_908_"

      It creates the following process(es):
      • C:\WINDOWS\Temp\004457749ec1a2ea02c238a0f26f35e5.exe [ \c:\windows\temp\004457749ec1a2ea02c238a0f26f35e5.exe ]

      It injects malicious code into the following process(es):
      • "C:\WINDOWS\system32\ctfmon.exe"
      • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
      • "C:\WINDOWS\system32\rundll32.exe"
      • "C:\WINDOWS\explorer.exe"

          Registry Related Changes
          It makes the following registry modifications to ensure infection after system reboot:
          • HKU\s-1-5-21-1078081533-842925246-854245398-1003classes\folder\shell\open\command\= _Special_Characters_
          • HKCR\folder\shellex\columnhandlers\= _Special_Characters_
          • HKCR\folder\shell\open\command\= _Special_Characters_
          • HKU\s-1-5-21-1078081533-842925246-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run\= _Special_Characters_
          • HKLM\software\microsoft\internetexplorer\toolbar\= _Special_Characters_
          • HKLM\system\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\= _Special_Characters_
          • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\= _Special_Characters_
          • HKLM\software\microsoft\windows\currentversion\explorer\browserhelperobjects\= _Special_Characters_
          • HKU\s-1-5-21-1078081533-842925246-854245398-1003classes\folder\shellex\columnhandlers\= _Special_Characters_
          • HKU\s-1-5-21-1078081533-842925246-854245398-1003\software\microsoft\internetexplorer\toolbar\= _Special_Characters_


          Relevant Information