Win32 : Sality Virus Summary , Prevention and Removal !!!

Virus:Win32/Sality.AM is a variant of a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

Infection

W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file.

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Symptoms-

System Changes

The following system changes may indicate the presence of Virus:Win32/Sality.AM:
 Infected files may unexpectedly increase in size
 Anti-virus and firewall applications may fail to function

Prevention
 
Take the following steps to help prevent infection on your computer:

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker’s choice, it is known as ‘social engineering’. Essentially, social engineering is an attack against the human interface of the targeted computer.

Removal Tool

If you are a Norton product user, try the following resources to remove this risk.

Run Norton Power Eraser (NPE)

Or else [From Kaspersky]:

Download the file SalityKiller.zip

Other Antivirus Softwares which were succesful in removing it were AVG’s :(rmslt.exe) and Symantecs Power Eraser ..

NOD32 , Avast , Avira deleted the whole files .Dat does disinfect your system .. But You loose your data…

Aliases
 Win32/Kashu.B (AhnLab)
 Win32.Sality.NX (BitDefender)
 Win32/Sality.W (CA)
 Win32.Sector.5 (Dr.Web)
 Win32/Sality.NAO (ESET)
 W32/Sality.AJ (Frisk (F-Prot))
 Virus.Win32.Sality.y (Kaspersky)
 W32/Sality.AE (McAfee)
 W32/Sality.AO (McAfee)
 W32/Smalltroj.DXSV (Norman)
 W32/Sality-AM (Sophos)
 W32.Sality.AE (Symantec)
 Win32.Sality.AK (VirusBuster)