W32.Sality Anti Virus

W32.Sality commonly known as Sality Virus is a malware program which infects exe and scr files thereby spreading as many times the host is executed. This virus also includes an auto run component, as a result of which, it spreads to any removable medium. Moreover this comes with a downloader Trojan component, which downloads and installs more malware when connected to the web.

This virus first appeared in 2003 in Russia. During that time, Sality was a little file infector, which used to prefix its viral code to a host and had back door and key logging facilities. Now it has improvised a lot with more additional features, which has made it more harmful and dangerous. However, Sality's signature has remained the same. Get to know about the virus in detail, get some technical support.

The Characteristics

Symantech.com has nicely explained the features of this virus. The payload runs five distinct components in separate threads.

The first component is a process injector. All processes except those belonging to the users "local service", "network service", or "system", will be injected with a copy of Sality to make sure the malware stays running.

The second component is responsible for lowering or disabling the general security of the system. Security-related processes and services are stopped, including many antivirus and personal firewall products. The registry is modified and SafeBoot key entries are deleted. Components such as registry editing with the Windows regedit.exe tool or Task Manager Creation are disabled. Firewall rules are added to let Sality access the network.

Sality also drops a kernel driver to a dynamically generated location in %System%\drivers and creates a service named "amsint32". This driver is a rootkit, in charge of two things. First, it ends processes when a regular call to TerminateProcess() fails. In fact, the rootkit is able to run dynamic code on to a target process. However, this code, so far, only pertains to process termination.

The second feature is more interesting: the driver sets up an IpFilter callback function to process network packets. Ipfltdrv.sys is a standard Windows driver that can be loaded by starting the IpFilterDriver service. Kernel drivers can set a callback function to be called by IpFilter every time an IP packet goes in or out. The callback can decide to drop the packet. In a few words, IpFilter is a very straightforward way to build a simple Windows firewall. Sality uses the IpFilter to drop every IP packet containing words that belong to an encrypted list of strings that make up security vendor's URLs. The user-mode process can also instruct the driver to drop SMTP packets, blocking traditional email exchange.

The third component is the infector itself. Sality is able to infect files on local drives as well as Windows shares. It also infects files referenced in the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache registry key, which references the most often-used executables on the system, as well as .exe files located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Note here that, the infection routine is efficient enough to check that a file is not protected by the Windows file protection mechanism (SFC) before trying to infect it.

Let's move on to the fourth component: the downloader. Downloading and executing other malware or security risks is the main target of Sality. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used here is RC4, with static keys embedded in the compromised host. Now the question is, how are the URLs updated in case some of them get blocked, or more simply, if the malware gang decides to make Sality download other components?

The answer is given by the fifth and final component: its peer-to-peer client and server code. Sality-infected hosts thus become bots of a P2P botnet.

So, it's always good to be extra careful about the virus. If you feel that your PC has been infected W32.Sality virus, call for antivirus support immediately.

The Remedy

•    Call for immediate antivirus support. Scan your PC with an antivirus like Norton, Kaspersky etc. The antivirus should have been updated.
•    Use an anti malware too like malware bytes.
•    Make sure your antivirus is able to delete the infected files. If not, allow the antivirus to do the necessary action.
•    Avoid downloading pirated software.
•    Be careful while opening attachments. Scan it before opening it.
•    Be careful while clicking on links to unknown websites.
•    Use strong password.
•    Avoid social engineering attacks like phishing, Spear phishing, and email hoaxes.

Microsoft has raised the alert level to severe, hence be careful.

List of Aliases

Below is the list of aliases this virus use:

•    Win32/Kashu.B (AhnLab)
•    Win32.Sality.NX (BitDefender)
•    Win32/Sality.W (CA)
•    Win32.Sector.5 (Dr.Web)
•    Win32/Sality.NAO (ESET)
•    W32/Sality.AJ (Frisk (F-Prot))
•    Virus.Win32.Sality.y (Kaspersky)
•    W32/Sality.AE (McAfee)
•    W32/Sality.AO (McAfee)
•    W32/Smalltroj.DXSV (Norman)
•    W32/Sality-AM (Sophos)
•    W32.Sality.AE (Symantec)
•    Win32.Sality.AK (VirusBuster