Sophos

Sophos blogs

W32/Sality-AA

Aliases
  • Virus.Win32.Sality.q
  • W32/Sality.x
  • Win32/Sality.NAJ
  • W32.Sality.U
  • PE_SALITY.AS
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Infected files
Affected operating systems Windows
Protection available since 16 August 2006 21:48:17 (GMT)
Last updated 23 September 2009 09:50:36 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Sality-AA is a virus that also acts as a keylogger.

W32/Sality-AA infects files of ".exe" and ".scr" on all drives excluding those under <Windows>.

W32/Sality-AA creates the files

<System>\vcmgcd32.dll
<System>\vcmgcd32.dll_

These files are also detected as W32/Sality-AA.

The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.

W32/Sality-AA deletes all files found on the system with extension ".vdb" and ".avc" and files that start "drw" and end ".key".

W32/Sality-AA modifies the file <Windows>\system.ini by adding the following:
[MCIDRV_VER]
DEVICE=<random string>

W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer