Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WindowsCare to Sality - Save my In-Law's Marriage


  • Please log in to reply
4 replies to this topic

#1 mattblick

mattblick

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 13 December 2014 - 12:43 PM

I posted this in the security logs section by mistake yesterday.  If a moderator could delete that post.


My father-in-law fell for Windows care phone call scam 2 weeks ago.  I took the PC off the network, found the AMMYY and ran 2 additional sweeps, RKILL-->JRT-->Adwcleaner--> Malwarebytes; all clean.  I told them they could put it back on the network on Monday after a third sweep.

Yesterday, on their laptop, MWB found Sality.....

I'm not going to mess around fighting the issue on the O/S, I'm not chasing a virus that can transpose networks.  I told them the bad news that all of their PCs are getting wiped, Mother-In-Law very upset.   I took 2 laptops, 2 workstations, a Windows Media Center PC, and their Windows Home Server and put them in quarentine.  I thenTold Mother-In-Law that we might not be able to save the .JPG files off their "main" workstation; she was literally in tears.  I have picture backups I made in September on external drives at my house, and reminded her of that.  She has spent a lot of time in recent months sorting and cataloging pictures from the whole family, including scanning borrowed old photos.  This could be hundreds of hours of lost work; but if there is any chance in re-infection it is gone.

I have read varied things about whether or not Sality can have  *.JPG files infected.  One poster to several forums, Broni has posts specifing JPGs can't be saved. A post here from Quietman7 does not specify that JPG files can be infected as long as you pay attention to file extention spacing tricks.  I had not considered file injection before reading Quietman7s post; he may have saved us future heartache.  I had started rebuilding the laptops from the built in recovery partitions before leaving their house after midnight.  I'll be killing them again, all partitions gone, over the weekend.  I have Windows 7 media for their workstations, can get the media for the Windows7/8 laptops, but their WHS box might be a brick now.

My thought is to stand up an offline fresh O/S "cleaning maching"; I can boot from the clean PC, scan the suspect hard drives, move the pictures to another fresh hard drive, then rebuild the PC that did the scanning again. I have found several specific Sality removal tools, but also plan on using additional scanners (copied from a thun drive which I will remove the partition prior to ejecting)

Is this approach safe or do I just need to forget about the pictures?

Thanks in advance for any input.


 



BC AdBot (Login to Remove)

 


#2 pyroclastic

pyroclastic

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 13 December 2014 - 03:22 PM

I have read varied things about whether or not Sality can have  *.JPG files infected. A post here from Quietman7 does not specify that JPG files can be infected as long as you pay attention to file extention spacing tricks. 

 

If you pay close attention to file extensions it should be completely safe to rescue your genuine jpg files. Sality, as almost any other file infector family, will inject executable files, since infecting other files would be moot. If the file isn't designed to execute code Sality won't run even if it'd inject itself into a jpg. Whatever interprets your jpg wouldn't know what to do with the code in that file. Injected non-executable files would only be dangerous if the injected payload would somehow exploit the system, e.g. the rendering engine, which then would in turn lead to executable code, but I've never seen that type of behavior with Sality. However, pay attention to file extensions as Sality may place (or was dropped in the first place) as jpg disguised exe, com or src files.

 

If you don't want to hook up the infected harddrives to a clean machine or move the files in Windows you could use a live system from CD or USB. Some "rescue systems" also have some kind of antivirus scanner you could use to make sure you didn't copy anything infected by accident. Just bear in mind that when 'disinfecting' you should still rebuild those systems, as those scanners might miss something since you are dealing with a polymorphic virus and be prepared that the 'cleaned' systems might not boot afterwards, because file repair with polymorphic threats is not always neat and can lead to totally unexpected results.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 13 December 2014 - 05:19 PM

Sality typically infects .exe, .scr files, creates a peer-to-peer (P2P) botnet that compromises the computer, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker. There are many variants... W32/Sality-AM being one of the more recent ones.

Symantec reported Sality Goes LNK.

This dropper enumerates available network shares. It will try to create a .dll file, semi-randomly named “z[HEXIDECIMAL NUMBER].tmp”, on each of them. It also recursively lists subdirectories of a share and tries to create, in each of them, a link file exploiting BID 41732. The LNK file is customized to load the .dll file, which contains an encrypted copy of Sality. The names of the .lnk files can be based on existing files found on the shares, with an appended .lnk extension, or can be randomly chosen from a hardcoded list of benign or suggestive names:...


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 mattblick

mattblick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 13 December 2014 - 06:58 PM

Sality typically infects .exe, .scr files, creates a peer-to-peer (P2P) botnet that compromises the computer, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker. There are many variants... W32/Sality-AM being one of the more recent ones.

Symantec reported Sality Goes LNK.

This dropper enumerates available network shares. It will try to create a .dll file, semi-randomly named “z[HEXIDECIMAL NUMBER].tmp”, on each of them. It also recursively lists subdirectories of a share and tries to create, in each of them, a link file exploiting BID 41732. The LNK file is customized to load the .dll file, which contains an encrypted copy of Sality. The names of the .lnk files can be based on existing files found on the shares, with an appended .lnk extension, or can be randomly chosen from a hardcoded list of benign or suggestive names:...

 

Thank you for the responses Pyro and Quietman,

It sounds that I can move the picture files off of the "dirty" drive to a separate drive on a pc with a clean built O/S.  I need to be sure to deselect "hide known file extentions" and also watch very closely for .exe, .scr, .dll, .pif and .lnk files.  That in mind we should be good to go?

I've spent the past 3 days rebuilding the PCs leaving old drives in quarentine.  Have the windows media creation tool bringing down 8.1 files.  A lot of work but I'd rather reload than chase viruses.

Think backing up photos on Read Only optical media (in addtional to magnetic and flash) will be a good idea just in case we again have to be concerned with compromising that.


Edited by mattblick, 13 December 2014 - 06:58 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 13 December 2014 - 07:07 PM

Not a problem.

BTW any time you want to check a file for malware or get a second opinion, you can submit it to one of the online services that analyzes suspicious files:--In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users