high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 15 January 2008 07:26:45 (GMT) |
| Last updated | 7 July 2009 19:00:50 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
It is advisable to enable scanning for suspicious files and submit any files detected as Mal/Sality-Gen or Sus/Sality-A to Sophos for further analysis.
More Information
W32/Sality-AM is a virus for the Windows platform, a member of the Sality family of viruses.
W32/Sality-AM may also spread by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically - this file is detected as Mal/AutoInf-A.
W32/Sality-AM includes the functionality to download additional files from a remote location.
When first run, the W32/Sality-AM may infect executables in the root folder, files on network shares, and files it may find based on registry locations including the following:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
W32/Sality-AM may drop another executable file, detected as Mal/Behav-010.
W32/Sality-AM may install the following file:
<System>\<random>.sys (detected as Troj/RkSal-A or Troj/RKSal-Gen)
W32/Sality-AM may set registry entries under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\<service name>
where <service name> can be, for example, LEGACY_WMI_MFC_TPSHOKER_80.
W32/Sality-AM may delete registry entries under:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
W32/Sality-AM may disable some system integrity checkers by modifying executables named "filemon.exe" so that they exit immediately.
W32/Sality-AM may disable certain system tools such as the Windows Task Manager and the Microsoft Registry Editor (regedit).
W32/Sality-AM contains bugs in its viral code, and some files it infects will be corrupted. Some of these files may be disinfectable if the host code can be recovered safely, while others will be corrupt beyond repair. It is also possible that the virus saves a corrupt version of the host, such that successful disinfection still leaves behind a corrupt host. This is also true of files with appended data, since the virus overwrites this data during infection.
|
