high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 26 November 2008 08:44:35 (GMT) |
| Last updated | 10 April 2009 15:13:45 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please send any files detected as Mal/Sality-Gen to Sophos so that they can be analysed, and disinfection produced for them if appropriate.
It is also advisable to enable scanning for suspicious files and submit any files detected as Sus/Sality-A to Sophos for further analysis.
More Information
Mal/Sality-Gen is a virus for the Windows platform, a member of the Sality family of viruses.
Mal/Sality-Gen may also spread by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically - this file is detected as Mal/AutoInf-A.
Mal/Sality-Gen includes the functionality to download additional files from a remote location.
When first run, the Mal/Sality-Gen may infect executables in the root folder, files on network shares, and files it may find based on registry locations including the following:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Mal/Sality-Gen may drop another executable file, detected as Mal/Behav-010.
Mal/Sality-Gen may install the following file:
<System>\<random>.sys (detected as Troj/RkSal-A or Troj/RKSal-Gen)
Mal/Sality-Gen may set registry entries under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\<service name>
where <service name> can be, for example, LEGACY_WMI_MFC_TPSHOKER_80.
Mal/Sality-Gen may delete registry entries under:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
Mal/Sality-Gen may disable some system integrity checkers by modifying executables named "filemon.exe" so that they exit immediately.
Mal/Sality-Gen may disable certain system tools such as the Windows Task Manager and the Microsoft Registry Editor (regedit).
Mal/Sality-Gen contains bugs in its viral code, and some files it infects will be corrupted. Some of these files may be disinfectable if the host code can be recovered safely, while others will be corrupt beyond repair. It is also possible that the virus saves a corrupt version of the host, such that successful disinfection still leaves behind a corrupt host. This is also true of files with appended data, since the virus overwrites this data during infection.
It is important to send files detected as Mal/Sality-Gen to Sophos so that they can be analysed, and disinfection produced for them if appropriate.
|
