Name
Sality
Detection names
Sophos W32/Sality-AM, Mal/Sality-D, Mal/Sality-B
Kaspersky Virus.Win32.Sality.aa, Virus.Win32.Sality.ag
Avira W32/Sality, W32/Sality.Y
McAfee W32/Sality.ad, W32/Sality.gen.z, W32/Sality.gen
Trend Micro PE_SALITY.AM, PE_SALITY.RL, PE_SALITY.JER
Microsoft Virus:Win32/Sality.AH, Virus:Win32/Sality.AT, Virus:Win32/Sality.AM
Symantec W32.Sality.AE
Affected OS or software
Microsoft Windows
Basic description
Sality is a family of file infecting viruses for the Windows platform. It first appeared in 2003 and has been in development ever since. In addition to infecting other files, the members of the Sality family can also spread by copying themselves to removable storage devices and accessible network shares.
Many versions of Sality also include a rootkit component and the ability to download and install other malware. Sality is a complex and buggy piece of malware which can be troublesome to remove and is known to damage some infected files beyond repair.
Related links:
Naked Security blog articles on Sality
Sophos Knowledgebase article on Sality
Defending against the threat
Sality uses multiple methods of propagation, so multiple defenses can be implemented. In addition to the patches and technologies listed below, some network security steps can limit the impact of a Sality infection.
Do not store program binaries (EXE and DLL file) in network shares that allow writing.
Patches
MS10-046 - Windows Shortcut exploit
Microsoft KB971029 - Disable autorun
Sophos technologies
The primary defense against a file-infecting virus is Endpoint Protection. Enabling behavior monitoring (HIPS) has been shown to improve detection of new Sality variants.
Technical description
Sality is a family of polymorphic file-infecting viruses for the Windows platform. Sality uses both polymorphic and entry-point obfuscation techniques to create a unique appearance for its code each time it infects a file. In addition to file infection, Sality spreads by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically. This file is detected as Mal/AutoInf-A.
Sality includes the functionality to download additional files from a remote location.
When first run, Sality may infect executables in the root folder, files on network shares, and files it may find based on registry locations including the following:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Sality may install a randomly named .sys file in the Windows system folder. This file is a rootkit component, usually detected as either Troj/RkSal-A or Troj/RKSal-Gen.
Sality may also configure a service, creating registry entries under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\ <service name>
(where <service name> depends on the version of Sality and can be randomly chosen, for example, LEGACY_WMI_MFC_TPSHOKER_80 or amsint32.)
Sality takes several steps to hinder detection and recovery from an infection. It may disable some system integrity checkers by modifying executables named "filemon.exe" so that they exit immediately and disable certain system tools, such as the Windows Task Manager and the Microsoft Registry Editor (regedit).
Sality also interferes with safe booting by deleting registry entries under: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
Sality contains bugs in its viral code, and some files it infects will be corrupted. Some of these files may be disinfectable if the host code can be recovered safely, while others will be corrupted beyond repair. It is also possible that the virus saves a corrupt version of the host, such that successful disinfection still leaves behind a corrupt host. This is also true of files with appended data, since the virus overwrites this data during infection.