Sality.BH_6 is a polymorphic file infector virus that target Microsoft Windows operating systems. It is known to infect files with .exe and .scr extensions on local drives, removable media, and network shares. Sality infected systems communicates with the Command and Control server over a P2P network.
File Related Changes
It drops the following file(s) on the system:
- "c:\Users\Admin\AppData\Local\Temp\winwgkgbn.exe"
- "c:\ftkte.pif"
Process Related Changes
It creates the following mutex(es):
- "svchost.exeM_1808_"
- "cisvc.exeM_1672_"
- "svchost.exeM_332_"
- "spoolsv.exeM_1616_"
- "winlogon.exeM_388_"
- "searchindexer.exeM_2504_"
- "ui0detect.exeM_2068_"
- "uxJLpe1m"
- "svchost.exeM_772_"
- "psxss.exeM_340_"
- "csrss.exeM_304_"
- "svchost.exeM_996_"
- "services.exeM_444_"
- "svchost.exeM_852_"
- "svchost.exeM_2212_"
- "ng_vmsvc.exeM_3384_"
- "explorer.exeM_1192_"
- "inetinfo.exeM_1776_"
- "svchost.exeM_564_"
- "sppsvc.exeM_3956_"
- "wmpnetwk.exeM_4000_"
- "wininit.exeM_364_"
- "e323315f8a79924d67120c1b8d9bf08d.exeM_3444_"
- "nfsclnt.exeM_1344_"
- "trustedinstaller.exeM_4092_"
- "tlntsrv.exeM_260_"
- "smss.exeM_220_"
- "svchost.exeM_680_"
- "tcpsvcs.exeM_2036_"
- "taskhost.exeM_1244_"
- "lsass.exeM_456_"
- "reader_sl.exeM_1436_"
- "smsvchost.exeM_1880_"
- "dwm.exeM_1180_"
- "lsm.exeM_464_"
- "svchost.exeM_1520_"
- "svchost.exeM_632_"
- "Ap1mutx7"
- "svchost.exeM_1844_"
- "svchost.exeM_1652_"
- "svchost.exeM_928_"
- "csrss.exeM_348_"
- "svchost.exeM_1744_"
It injects malicious code into the following process(es): - "C:\Windows\system32\taskhost.exe"
- "C:\Windows\system32\Dwm.exe"
- "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
|
