About:
W32/Sality-AM is a member of the Sality family of viruses for Windows.
W32/Sality-AM has been around since January 2008, but viruses remain infectious long after their original release. Recently, this particular virus has had a minor resurgence.
W32/Sality-AM may also spread by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically, detected as Mal/AutoInf-A.
When first run, the W32/Sality-AM may infect executables in the root folder, files on network shares.
The initial dropped files includes dropping as: rejoice101.exe
It is also known to drop drivers in the system32 drivers folder. The driver can have different names but is detected as Troj/RKSal-Gen.
Mal/Sality-AM will attempt to delete a large swathe of files related to antivirus and anti-spyware software. It will modify a large list of registry keys including the following list:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\System\CurrentControlSet\Control\SafeBoot
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Mal/Sality-AM connects to a large list of hard-coded websites to download further malware. The dropped driver files also act as a filter driver which prevents access to various security websites.
Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Mal/Sality-AM. The actions of this malware trigger the HIPS rules HIPS/FileMod-005, HIPS/RegMod-016 and HIPS/RegMod-013.