Date discovered: 21/11/2008
Type: File infector
In the wild: Yes
Reported Infections: Low to medium
Distribution Potential: Medium
Damage Potential: Medium to high
Aliases:
• Mcafee: W32/Sality.gen virus
• Kaspersky: Virus.Win32.Sality.aa
• F-Secure: Virus.Win32.Sality.aa
• Eset: Win32/Sality.NAU virus
• Bitdefender: Win32.Sality.OG
Methods of propagation:
• Local network
• Mapped network drives
File infection Method: This memory-resistent infector remains active in memory.
The following files are infected, by file type: *.EXE
Side effects:
• Lowers security settings
• Registry modification
In case of system infected, The following registry key is added:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
• "AntiVirusOverride"=dword:00000001
• "AntiVirusDisableNotify"=dword:00000001
• "FirewallDisableNotify"=dword:00000001
• "FirewallOverride"=dword:00000001
• "UpdatesDisableNotify"=dword:00000001
• "UacDisableNotify"=dword:00000001
And The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• "Hidden"=dword:00000001
New value:
• "Hidden"=dword:00000002
Deactivate Windows XP Firewall:
– [HKLM\SOFTWARE\Microsoft\Security Center]
Old value:
• "AntiVirusDisableNotify"=dword:00000000
• "FirewallDisableNotify"=dword:00000000
• "UpdatesDisableNotify"=dword:00000000
• "AntiVirusOverride"=dword:00000000
• "FirewallOverride"=dword:00000000
• "UacDisableNotify"=dword:00000000
New value:
• "AntiVirusDisableNotify"=dword:00000001
• "FirewallDisableNotify"=dword:00000001
• "UpdatesDisableNotify"=dword:00000001
• "AntiVirusOverride"=dword:00000001
• "FirewallOverride"=dword:00000001
• "UacDisableNotify"=dword:00000001
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system]
Old value:
• "DisableTaskMgr"=dword:00000000
• "DisableRegistryTools"=dword:00000000
New value:
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001
