McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

W32/Sality.gen.e is a parasitic virus that infects Win32 PE executable files.

This is a variant of the W32/Sality virus, more details on this family are available here.

----------------------------------------------

Update - 07/28/2010:

Some recent variants will try to connect to the following domains:

bilenbiliyor.com
amerihomesrealty.com
mtc.wz.cz
yucelcavdar.com
www.rafozzo.yoyo.pl
radson_master.fm.interia.pl
bhongircollege.com
birsentekstil.com
www.voko.wz.cz

------------------------------------------------

This particular variant may attempt a connection to the following sites:

• hxxp ://sagocugenc.sa.f[removed]ic.de/images/logos.gif
• hxxp ://www.ele[removed]orini.com/images/logos.gif
• hxxp ://www.city[removed]magazine.com/images/logos.gif
• hxxp ://www.21yybu[removed]lu.com/images/logos.gif
• hxxp ://yucel[removed]dar.com/logos_s.gif
• hxxp ://www.lu[removed]-adv.com/gallery/Fusion/images/logos.gif
• hxxp ://moc[removed]m.de/images/main.gif
• hxxp ://bio[removed].com.tr/main.gif

Symptoms

• Unexpected file size increase.
• Presence of unexpected registry key(s).
• Services listening on random UDP port(s).

Method of Infection

W32/Sality.gen.e searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

W32/Sality.gen.e is a parasitic virus that infects Win32 PE executable files.

This is a variant of the W32/Sality virus, more details on this family are available here.

----------------------------------------------

Update - 07/28/2010:

Some recent variants will try to connect to the following domains:

bilenbiliyor.com
amerihomesrealty.com
mtc.wz.cz
yucelcavdar.com
www.rafozzo.yoyo.pl
radson_master.fm.interia.pl
bhongircollege.com
birsentekstil.com
www.voko.wz.cz

------------------------------------------------

This particular variant may attempt a connection to the following sites:

• hxxp ://sagocugenc.sa.f[removed]ic.de/images/logos.gif
• hxxp ://www.ele[removed]orini.com/images/logos.gif
• hxxp ://www.city[removed]magazine.com/images/logos.gif
• hxxp ://www.21yybu[removed]lu.com/images/logos.gif
• hxxp ://yucel[removed]dar.com/logos_s.gif
• hxxp ://www.lu[removed]-adv.com/gallery/Fusion/images/logos.gif
• hxxp ://moc[removed]m.de/images/main.gif
• hxxp ://bio[removed].com.tr/main.gif

Symptoms

Symptoms -

• Unexpected file size increase.
• Presence of unexpected registry key(s).
• Services listening on random UDP port(s).

Method of Infection

Method of Infection -

W32/Sality.gen.e searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A