McAfee > Theat Center > Virus Detail Page

Overview

W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.

Aliases

• PE_SALITY.JER (Trend Micro)

• Virus.Win32.Sality.aa (Kaspersky)

• Virus.Win32.Sality.y (Ikarus)

• Virus:Win32/Sality.AM (Microsoft)

• W32.Sality.AE (Symantec)

• W32/Sality-AM (Sophos)

• W32/Sality.AE (Norman)

• W32/Sality.AH (Panda)

• W32/Sality.AK (F-Prot)

• Win32.KUKU.a (Rising)

• Win32.Sality.OG (BitDefender)

• Win32/Sality.AA (VET)

Characteristics

W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.

Upon infection creates the following mutexes to ensure that only one instance of the virus is active on a computer at any time.

• Op1mutx9

Disables Regedit and Task Manager by modifying the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableRegistryTools"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableTaskMgr"

Disable XP Security Center by modifying the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UacDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "AntiVirusDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "AntiVirusOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "FirewallDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "FirewallOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "UacDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "UpdatesDisableNotify"

Downloads further malware from the following domains:

• hxxp://mattfoll.eu.interia.pl/[Removed]
• hxxp://st1.dist.su.lt/l[Removed]
• hxxp://lpbmx.ru/[Removed]
• hxxp://bjerm.mass.hc.ru/[Removed]
• hxxp://SOSiTE_AVERI_SOSiTEEE.[Removed]

Adds the following entries in the SYSTEM.INI file:

[MCIDRV_VER]
DEVICEMB={Random numbers}

Symptoms

• Presence of the file(s) mentioned.
• Presence of the registry key(s) mentioned.
• Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

W32/Sality.ao searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.

Aliases

• PE_SALITY.JER (Trend Micro)

• Virus.Win32.Sality.aa (Kaspersky)

• Virus.Win32.Sality.y (Ikarus)

• Virus:Win32/Sality.AM (Microsoft)

• W32.Sality.AE (Symantec)

• W32/Sality-AM (Sophos)

• W32/Sality.AE (Norman)

• W32/Sality.AH (Panda)

• W32/Sality.AK (F-Prot)

• Win32.KUKU.a (Rising)

• Win32.Sality.OG (BitDefender)

• Win32/Sality.AA (VET)

Characteristics

Characteristics -

W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.

Upon infection creates the following mutexes to ensure that only one instance of the virus is active on a computer at any time.

• Op1mutx9

Disables Regedit and Task Manager by modifying the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableRegistryTools"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableTaskMgr"

Disable XP Security Center by modifying the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UacDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "AntiVirusDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "AntiVirusOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "FirewallDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "FirewallOverride"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "UacDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc "UpdatesDisableNotify"

Downloads further malware from the following domains:

• hxxp://mattfoll.eu.interia.pl/[Removed]
• hxxp://st1.dist.su.lt/l[Removed]
• hxxp://lpbmx.ru/[Removed]
• hxxp://bjerm.mass.hc.ru/[Removed]
• hxxp://SOSiTE_AVERI_SOSiTEEE.[Removed]

Adds the following entries in the SYSTEM.INI file:

[MCIDRV_VER]
DEVICEMB={Random numbers}

Symptoms

Symptoms -

• Presence of the file(s) mentioned.
• Presence of the registry key(s) mentioned.
• Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

Method of Infection -

W32/Sality.ao searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A