W32.Sality commonly known as Sality Virus is a malware program which infects exe and scr files thereby spreading as many times the host is executed. This virus also includes an auto run component, as a result of which, it spreads to any removable medium. Moreover this comes with a downloader Trojan component, which downloads and installs more malware when connected to the web.
This virus first appeared in 2003 in Russia. During that time, Sality was a little file infector, which used to prefix its viral code to a host and had back door and key logging facilities. Now it has improvised a lot with more additional features, which has made it more harmful and dangerous. However, Sality’s signature has remained the same. Get to know about the virus in detail, get some technical support.
The Characteristics
Symantech.com has nicely explained the features of this virus. The payload runs five distinct components in separate threads.
The first component is a process injector. All processes except those belonging to the users “local service”, “network service”, or “system”, will be injected with a copy of Sality to make sure the malware stays running.
The second component is responsible for lowering or disabling the general security of the system. Security-related processes and services are stopped, including many antivirus and personal firewall products. The registry is modified and SafeBoot key entries are deleted. Components such as registry editing with the Windows regedit.exe tool or Task Manager Creation are disabled. Firewall rules are added to let Sality access the network.
Sality also drops a kernel driver to a dynamically generated location in %System%\drivers and creates a service named “amsint32”. This driver is a rootkit, in charge of two things. First, it ends processes when a regular call to TerminateProcess() fails. In fact, the rootkit is able to run dynamic code on to a target process. However, this code, so far, only pertains to process termination.
The second feature is more interesting: the driver sets up an IpFilter callback function to process network packets. Ipfltdrv.sys is a standard Windows driver that can be loaded by starting the IpFilterDriver service. Kernel drivers can set a callback function to be called by IpFilter every time an IP packet goes in or out. The callback can decide to drop the packet. In a few words, IpFilter is a very straightforward way to build a simple Windows firewall. Sality uses the IpFilter to drop every IP packet containing words that belong to an encrypted list of strings that make up security vendor’s URLs. The user-mode process can also instruct the driver to drop SMTP packets, blocking traditional email exchange.
The third component is the infector itself. Sality is able to infect files on local drives as well as Windows shares. It also infects files referenced in the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache registry key, which references the most often-used executables on the system, as well as .exe files located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Note here that, the infection routine is efficient enough to check that a file is not protected by the Windows file protection mechanism (SFC) before trying to infect it.
Let’s move on to the fourth component: the downloader. Downloading and executing other malware or security risks is the main target of Sality. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used here is RC4, with static keys embedded in the compromised host. Now the question is, how are the URLs updated in case some of them get blocked, or more simply, if the malware gang decides to make Sality download other components?
The answer is given by the fifth and final component: its peer-to-peer client and server code. Sality-infected hosts thus become bots of a P2P botnet.
So, it’s always good to be extra careful about the virus. If you feel that your PC has been infected W32.Sality virus, call for antivirus support immediately.
The Remedy
• Call for immediate antivirus support. Scan your PC with an antivirus like Norton, Kaspersky etc. The antivirus should have been updated.
• Use an anti malware too like malware bytes.
• Make sure your antivirus is able to delete the infected files. If not, allow the antivirus to do the necessary action.
• Avoid downloading pirated software.
• Be careful while opening attachments. Scan it before opening it.
• Be careful while clicking on links to unknown websites.
• Use strong password.
• Avoid social engineering attacks like phishing, Spear phishing, and email hoaxes.
Microsoft has raised the alert level to severe, hence be careful.
List of Aliases
Below is the list of aliases this virus use:
• Win32/Kashu.B (AhnLab)
• Win32.Sality.NX (BitDefender)
• Win32/Sality.W (CA)
• Win32.Sector.5 (Dr.Web)
• Win32/Sality.NAO (ESET)
• W32/Sality.AJ (Frisk (F-Prot))
• Virus.Win32.Sality.y (Kaspersky)
• W32/Sality.AE (McAfee)
• W32/Sality.AO (McAfee)
• W32/Smalltroj.DXSV (Norman)
• W32/Sality-AM (Sophos)
• W32.Sality.AE (Symantec)
• Win32.Sality.AK (VirusBuster
This virus first appeared in 2003 in Russia. During that time, Sality was a little file infector, which used to prefix its viral code to a host and had back door and key logging facilities. Now it has improvised a lot with more additional features, which has made it more harmful and dangerous. However, Sality’s signature has remained the same. Get to know about the virus in detail, get some technical support.
The Characteristics
Symantech.com has nicely explained the features of this virus. The payload runs five distinct components in separate threads.
The first component is a process injector. All processes except those belonging to the users “local service”, “network service”, or “system”, will be injected with a copy of Sality to make sure the malware stays running.
The second component is responsible for lowering or disabling the general security of the system. Security-related processes and services are stopped, including many antivirus and personal firewall products. The registry is modified and SafeBoot key entries are deleted. Components such as registry editing with the Windows regedit.exe tool or Task Manager Creation are disabled. Firewall rules are added to let Sality access the network.
Sality also drops a kernel driver to a dynamically generated location in %System%\drivers and creates a service named “amsint32”. This driver is a rootkit, in charge of two things. First, it ends processes when a regular call to TerminateProcess() fails. In fact, the rootkit is able to run dynamic code on to a target process. However, this code, so far, only pertains to process termination.
The second feature is more interesting: the driver sets up an IpFilter callback function to process network packets. Ipfltdrv.sys is a standard Windows driver that can be loaded by starting the IpFilterDriver service. Kernel drivers can set a callback function to be called by IpFilter every time an IP packet goes in or out. The callback can decide to drop the packet. In a few words, IpFilter is a very straightforward way to build a simple Windows firewall. Sality uses the IpFilter to drop every IP packet containing words that belong to an encrypted list of strings that make up security vendor’s URLs. The user-mode process can also instruct the driver to drop SMTP packets, blocking traditional email exchange.
The third component is the infector itself. Sality is able to infect files on local drives as well as Windows shares. It also infects files referenced in the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache registry key, which references the most often-used executables on the system, as well as .exe files located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Note here that, the infection routine is efficient enough to check that a file is not protected by the Windows file protection mechanism (SFC) before trying to infect it.
Let’s move on to the fourth component: the downloader. Downloading and executing other malware or security risks is the main target of Sality. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used here is RC4, with static keys embedded in the compromised host. Now the question is, how are the URLs updated in case some of them get blocked, or more simply, if the malware gang decides to make Sality download other components?
The answer is given by the fifth and final component: its peer-to-peer client and server code. Sality-infected hosts thus become bots of a P2P botnet.
So, it’s always good to be extra careful about the virus. If you feel that your PC has been infected W32.Sality virus, call for antivirus support immediately.
The Remedy
• Call for immediate antivirus support. Scan your PC with an antivirus like Norton, Kaspersky etc. The antivirus should have been updated.
• Use an anti malware too like malware bytes.
• Make sure your antivirus is able to delete the infected files. If not, allow the antivirus to do the necessary action.
• Avoid downloading pirated software.
• Be careful while opening attachments. Scan it before opening it.
• Be careful while clicking on links to unknown websites.
• Use strong password.
• Avoid social engineering attacks like phishing, Spear phishing, and email hoaxes.
Microsoft has raised the alert level to severe, hence be careful.
List of Aliases
Below is the list of aliases this virus use:
• Win32/Kashu.B (AhnLab)
• Win32.Sality.NX (BitDefender)
• Win32/Sality.W (CA)
• Win32.Sector.5 (Dr.Web)
• Win32/Sality.NAO (ESET)
• W32/Sality.AJ (Frisk (F-Prot))
• Virus.Win32.Sality.y (Kaspersky)
• W32/Sality.AE (McAfee)
• W32/Sality.AO (McAfee)
• W32/Smalltroj.DXSV (Norman)
• W32/Sality-AM (Sophos)
• W32.Sality.AE (Symantec)
• Win32.Sality.AK (VirusBuster
Article Directory: http://www.articledashboard.com
W32.Sality, commonly known as Sality virus, could be harmful enough to damage your PC and your data. Get some technical support to learn more about the virus. You should also call for antivirus support immediately, if you feel that your PC has got infected with it.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteDell printer setup
ReplyDeleteDescription - For old/new Dell printer setup call @ 1-877-353-6650. Get 24x7 help & support for Dell printer setup issues by printer experts team call
toll free helpline number now. You are one call away
Help & fix printers Issues
1. Dell Printer offiline issues
2. Printer alignment issues
3. Color or black printing isssues
4. Canon Printer installation
5. Printer not printing by phone
6. Printer not conneting
7. Wifi printer not working
8. Drive or setup problems
Norton Login
ReplyDeleteNorton Internet Security Login
Norton Antivirus Login
Log into Norton Account
My Norton Account Login
Norton Antivirus Account Login
Norton Antivirus Sign In
Norton Security Login
Norton Sign In
Norton Account Login
My Norton Account Sign In
Norton Login My Account
AOL Mail
ReplyDeleteAOL Mail Login
AOL Login
AOL.com Mail Login
AOL Mail Sign In Now
AOL Mail Login Site
AOL Mail Sign In Now
My AOL Mail Login
AOL Email Sign In
AOL Com Mail Sign In
AOL Email Login
AOL Sign In
aolmaillogin
aolmailsignin
aollogin
Cash App Payment Failed
ReplyDeleteCash App Failed for My Protection
Cash App Payment Failed for My Protection
Cash App Failed Payment
Transfer Failed Cash App