Win32 : Sality Virus Summary , Prevention and Removal !!!

Saleem Ahmed
Jul 27, 2018 · 2 min read
Image for post
Image for post

Virus:Win32/Sality.AM is a variant of a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

Infection

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Symptoms-

The following system changes may indicate the presence of Virus:Win32/Sality.AM:
Infected files may unexpectedly increase in size
Anti-virus and firewall applications may fail to function

Prevention
Take the following steps to help prevent infection on your computer:

  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker’s choice, it is known as ‘social engineering’. Essentially, social engineering is an attack against the human interface of the targeted computer.

Removal Tool

Run Norton Power Eraser (NPE)

Or else [From Kaspersky]:

Download the file SalityKiller.zip

Other Antivirus Softwares which were succesful in removing it were AVG’s :(rmslt.exe) and Symantecs Power Eraser ..

NOD32 , Avast , Avira deleted the whole files .Dat does disinfect your system .. But You loose your data…

Aliases
Win32/Kashu.B (AhnLab)
Win32.Sality.NX (BitDefender)
Win32/Sality.W (CA)
Win32.Sector.5 (Dr.Web)
Win32/Sality.NAO (ESET)
W32/Sality.AJ (Frisk (F-Prot))
Virus.Win32.Sality.y (Kaspersky)
W32/Sality.AE (McAfee)
W32/Sality.AO (McAfee)
W32/Smalltroj.DXSV (Norman)
W32/Sality-AM (Sophos)
W32.Sality.AE (Symantec)
Win32.Sality.AK (VirusBuster)

Saleem Ahmed

Written by

Without permanence, reality is just an evanescent fugacious playpen of pointless inconsequentiality | salahm.com |

Saleem Ahmed

Written by

Without permanence, reality is just an evanescent fugacious playpen of pointless inconsequentiality | salahm.com |

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store