W32/Sality.Q

Analysis

This detection is for the infected samples of W32/Sality.Q

Upon Execution the malware drops the following files:

undefinedWinDirundefined\asn1sys.exe
undefinedSystemDirundefined\vcmgcd32.dl_
undefinedSystemDirundefined\vcmgcd32.dll
all of the above files are instances of W32/Sality infected variants. File asn1sys.exe attempts to connect to www.mapheadstart.org by listening to random ports and connects through the remote port 6667. There are some known slight variants in the wild that drops the following files also:
C:\wpincheg32.exe
undefinedTempFolderundefined\windvfcf.exe
undefinedTempFolderundefined\winwmhi.exe
File windvfcf.exe is flagged as a W32/Agent.AMT!tr

As a means of its AutoStart, the malware applies the following registry modifications:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Asn1 Security Systems="asn1sys.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Asn1 Security Systems="asn1sys.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Asn1 Security Systems="asn1sys.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Asn1 Security Systems="asn1sys.exe"

This virus will attempt to infect various files within the target host machine including those of Windows directory

On its infection this infector will add 1 section on the target host file, and that would reflect to an estimated increase in file size of approximately 15-21 Kilobytes

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the " Allow Push Update" option
  

FortiClient systems:

• Quarantine/Delete infected files detected and replace infected files with clean backup copies