1. W32.sality Anti Virus
In fact, they aren't even using cable or satellite, but are none-the-less delighting in even more
TELEVISION for no cash except for the low one-time cost to download the simple software and
viewers required to access all 12,000 TV channels that we offer. It is said to have crashed five to 6
times in a week. Cyberbullying is possibly more unsafe than school bullying, for the lack of a "cyber
concept" to use up this concern with. Erase any programs that you discover that are associated with
Norton. Some time you will be visiting a reputed site, but the links and ads posted in that website
will not be real. When we purchase a device, we expect to be able to take it home, take a short eye
the guidelines for setting it up, plug it in and go.
W32.Sality commonly known as Sality Virus is a malware program which infects exe and scr files
thereby spreading as many times the host is executed. This virus also includes an auto run
component, as a result of which, it spreads to any removable medium. Moreover this comes with a
downloader Trojan component, which downloads and installs more malware when connected to the
web.
This virus first appeared in 2003 in Russia. During that time, Sality was a little file infector, which
used to prefix its viral code to a host and had back door and key logging facilities. Now it has
improvised a lot with more additional features, which has made it more harmful and dangerous.
However, Sality's signature has remained the same. Get to know about the virus in detail, get some
technical support.
The Characteristics
Symantech.com has nicely explained the features of this virus. The payload runs five distinct
components in separate threads.
The first component is a process injector. All processes except those belonging to the users "local
service", "network service", or "system", will be injected with a copy of Sality to make sure the
malware stays running.
The second component is responsible for lowering or disabling the general security of the system.
Security-related processes and services are stopped, including many antivirus and personal firewall
products. The registry is modified and SafeBoot key entries are deleted. Components such as
registry editing with the Windows regedit.exe tool or Task Manager Creation are disabled. Firewall
rules are added to let Sality access the network.
Sality also drops a kernel driver to a dynamically generated location in %System%drivers and
creates a service named "amsint32". This driver is a rootkit, in charge of two things. First, it ends
processes when a regular call to TerminateProcess() fails. In fact, the rootkit is able to run dynamic
code on to a target process. However, this code, so far, only pertains to process termination.
The second feature is more interesting: the driver sets up an IpFilter callback function to process
network packets. Ipfltdrv.sys is a standard Windows driver that can be loaded by starting the
IpFilterDriver service. Kernel drivers can set a callback function to be called by IpFilter every time
an IP packet goes in or out. The callback can decide to drop the packet. In a few words, IpFilter is a
very straightforward way to build a simple Windows firewall. Sality uses the IpFilter to drop every IP
packet containing words that belong to an encrypted list of strings that make up security vendor's
2. URLs. The user-mode process can also instruct the driver to drop SMTP packets, blocking traditional
email exchange.
The third component is the infector itself. Sality is able to infect files on local drives as well as
Windows shares. It also infects files referenced in the
HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache registry key, which
references the most often-used executables on the system, as well as .exe files located in
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Note here that, the
infection routine is efficient enough to check that a file is not protected by the Windows file
protection mechanism (SFC) before trying to infect it.
Let's move on to the fourth component: the downloader. Downloading and executing other malware
or security risks is the main target of Sality. A compromised host carries with it a list of HTTP URLs
that point to resources to be downloaded, decrypted, and executed. These URLs can also point to
more URLs. The encryption used here is RC4, with static keys embedded in the compromised host.
Now the question is, how are the URLs updated in case some of them get blocked, or more simply, if
the malware gang decides to make Sality download other components?
The answer is given by the fifth and final component: its peer-to-peer client and server code. Sality-infected
hosts thus become bots of a P2P botnet.
So, it's always good to be extra careful about the virus. If you feel that your PC has been infected
W32.Sality virus, call for antivirus support immediately.
The Remedy
o Call for immediate antivirus support. Scan your PC with an antivirus like Norton, Kaspersky etc.
The antivirus should have been updated.
o Use an anti malware too like malware bytes.
o Make sure your antivirus is able to delete the infected files. If not, allow the antivirus to do the
necessary action.
o Avoid downloading pirated software.
o Be careful while opening attachments. Scan it before opening it.
o Be careful while clicking on links to unknown websites.
o Use strong password.
o Avoid social engineering attacks like phishing, Spear phishing, and email hoaxes.
Microsoft has raised the alert level to severe, hence be careful.
List of Aliases
Below is the list of aliases this virus use:
3. o Win32/Kashu.B (AhnLab)
o Win32.Sality.NX (BitDefender)
o Win32/Sality.W (CA)
o Win32.Sector.5 (Dr.Web)
o Win32/Sality.NAO (ESET)
o W32/Sality.AJ (Frisk (F-Prot))
o Virus.Win32.Sality.y (Kaspersky)
o W32/Sality.AE (McAfee)
o W32/Sality.AO (McAfee)
o W32/Smalltroj.DXSV (Norman)
o W32/Sality-AM (Sophos)
Inexpensive, and easy to configure, a router that utilizes NAT (Network Address Translation) is your
very first line of defense on the Web. Bear in mind, even McAfee's own removal program is
inadequate to free your computer system of McAfee tyranny. There are a few of the antivirus
application available in the market that have anti spyware built-in. Use filters and parental control
alternatives: Many of today's operating systems include build up in parental control options, its
always a good concept to familiarise yourself with it. If there is a match, the details saved in the
cookies is gone back to the server. While your computer gets connected to the Internet these
destructive items keep on trying to attack your computer.
o W32.Sality.AE (Symantec)
o Win32.Sality.AK (VirusBuster
By: James Madisons
Article Directory: http://www.articledashboard.com
W32.Sality, commonly known as Sality virus, could be harmful enough to damage your PC and your
data. Get some technical support to learn more about the virus. You should also call for antivirus
support immediately, if you feel that your PC has got infected with it.