New variant of Sality, one of the most active families of metamorphic file infectors until now, has been released.
In this latest variant, Sality still uses old methods to spread by infecting local and network disks, infecting a copy of winmie.exe or notepad.exe and then putting it onto removable drives with an autorun.inf file to execute the infector. However, instead of using Entry Point Obscuring technique (EPO) as the previous variant, this variant of Sality uses simpler method to gain control of the host PE file. It replaces the first instruction of the host entry point with a call instruction (E8 opcode). This call instruction will transfer control to the virus's metamorphic code at the end of the file. This code then decrypts the virus body which does the main work. When the virus body runs, it will find victims to infect. During this process, if a file's name is in Sality's blacklist (almost filenames in this blacklist are of security tool files), the infector will make this file unable to execute properly by overwriting the instruction at entry point with a ret instruction (C3 opcode). Then, when user executes this file, the process will terminate immediately.
In addition, Sality also tries different ways to protect itself, such as disabling Windows Task Manager and Windows Registry Editor, attacking antivirus programs, keeping Windows Security Center from producing alert messages and preventing user from using Windows in Safe Mode. The virus loads its kernel driver and registers its filter function with Windows IP Traffic Filter Driver. This means Sality has its own custom firewall and this firewall monitors users' traffic to Internet and prevents their computers from accessing antivirus producers' websites. In this way, communication between users and antivirus producers through Internet is broken, antivirus programs can't connect to their sites to update database, users can't get solutions from the producers to solve their trouble. Furthermore, Sality downloads and executes other malwares on the infected computer. All these tasks put users' systems at high risk: users' sensitive information can be stolen without their consent.
Back to technique, older versions of the virus used the RC4 algorithm to encrypt the main virus body whereas the latest version uses a much simpler addition/subtraction/exclusive OR scheme. However, metamorphic code generated for decrypting the main virus body is more complex than the older. It is more difficult to indicate which instruction is used to decrypt the virus body and which is only junk code, which register contains useful value and which does not. Antivirus programs must work more sophisticatedly to collect enough parameters for decrypting and cleaning virus from host files.
This variant of Sality is detected in our antivirus software, Bkav, as W32.SalityVI.PE.
Analyst: Nguyen Ngoc Zung