Have you noticed that today computer viruses are concealing around us everywhere: at home , at work, in the internet cafes? In relation to this fact data collected by Kaspersky Lab’s 2009 antivirus product presents details of malicious, advertising, and potentially unwanted programs found on users’ computers. It revealed that Win32/Sality.AA virus has been dominating for two months and alongside with Sality.z, making Sality one of the most widespread and dangerous families of the recent past. Sality spys on you and steals your banking information possibly a very large international bank robbery crime ring. The infection is created by some changes it makes to your system. You are able to identify this threat, but you should better avoid it.
Sality is a virus that encompasses backdoor capabilities and executes keylogger and is able to infect executable files by putting its code to host files.Being installed, Sality virus will infect local executable files and delete all files which are related to anti-virus and anti-spyware applications, firewalls as well. When executed, Win32/Sality.AA drops a malicious component file to:
%System%\drivers\.sys
This component being a device driver acts as a ‘rootkit’ at kernel level.Altogether, it enables the virus to hide itself in the compromised system by changing data structures in the kernel and hiding its malicious activity. Bear in mind that this ‘rootkit’ method can only function on Windows NT-based operating systems, like NT/2000/XP/2003.
Sality.AA also will add the following registry entry as a part of the device driver installation routine:
HKLM\SYSTEM\CurrentControlSet\Services\abp470n5
It adds the following text to the “system.ini” file which is located in the %Windows% directory:
[MCIDRV_VER]
DEVICEMB=
The virus can be recognized by the following registry key with a lot of random subkeys and entries which are required for its malicious routine:
HKCU\Software\<3 random numbers>
Then, Sality attempts to run a keylogging module that collects all system and network information, records passwords and login names, steals all sensitive information and sends all the data to a
predefined email address. After that, Sality opens a backdoor which enables the remote attacker to get the full control over the infected computer and this places any financial or banking information stored on your computer in danger and provokes a serious security threat.
Remember, that this virus has the following aliases:
| Avast - | Win32:Sality-gen |
| AVG - | Win32/Tanatos.M |
| BitDefender - | Win32.Sality.OG |
| CAT-QuickHeal | W32.Sality.W |
| ClamAV - | - |
| DrWeb- | Win32.Sector.10 |
| eSafe | Suspicious File |
| eTrust-Vet | Win32/Sality.AA |
| Ewido | - |
| F-Prot | - |
| F-Secure | Virus.Win32.Sality.aa |
| Fortinet | - |
| GData | Virus.Win32.Sality.aa |
| Ikarus | Trojan.Win32.Crypt.D |
| K7AntiVirus | - |
| Kaspersky | Virus.Win32.Sality.aa |
| Microsoft | Virus:Win32/Sality.AM |
| NOD32 | Win32/Sality.NAR |
| Norman | W32/Sality.AE |
| Panda | Suspicious file |
| PCTools | - |
| Prevx1 | - |
| Rising | - |
| Sophos | Win32.KUKU.a |
| Sunbelt | - |
| Symantec | W32.Sality.AE |
| TheHacker | W32/Sality.gen |
| TrendMicro | PE_SALITY.EN-O |
| VBA32 | Virus.Win32.Sality.kaka |
| VirusBuster | - |
| Webwasher-Gateway | Win32.Sality.Y |
| ViRobot | - |
If you want to prevent your PC from danger, you should use a good malware remover to detect Sality and automatically remove Sality altogether with other spyware, adware, trojans, and virus threats that are hiding in your PC.
Resources:
The leading Win32/Sality.AA virus
Description of Win32/Sality
Understanding computer virus
Sality removal
Mar 17, 2009 at 20:12:45
I have problem with sality/tanatos/heur viruses..they had disabled registry editor,task manager and anti-virus instalation,.i had tried avg 7.5 free edition,but it doesn't work..so would u like to help me to kill those viruses?is there any spyware removal with free license?
Apr 20, 2009 at 07:18:17
use rising antivirus
Sep 14, 2009 at 22:28:34
This file has infected my computer, and now i can't connect to any servers in counter strike.
Mar 13, 2010 at 11:07:32
use Spyware Doctor or SpyBot