Sality

Last Updated on Sunday, 15 July 2012 17:40 Sunday, 15 July 2012 17:29

Virus - Analysis

A virus program from the family of W32 Sality is found to do the following things

It stops the following services
"Application Layer Gateway Service",
"Windows Firewall/Internet Connection Sharing (ICS)",
"Security Center"


It creates an autorun.inf file in the root directory, which then infects other computers in the network.

It disable notification in the Security Center,

It also disables Task Manager and registry editor.

It deletes the safeboot registry keys. This will prevent the computer from starting in Safe Mode.

The virus program modifies the following files.
C:\windows\system.ini
C:\windows\system32\cmd.exe
C:\windows\system32\mmc.exe
C:\windows\system32\taskmgr.exe


Symantec's website describes the way W32 Sality's infects a computer as follows

W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file.

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts.


You can read more about W32 Sality at Symantec  on this link

< Prev   Next >

Main Menu

Home
----Sections----
Harmful Files
Virus Removal
Trojan Removal
Worms Removal
Rogues Removal
Unwanted Apps
Removal Tools
Current News
----Articles----
Warning/ Disclaimer
Common Folders
Preventive Measures
Removal Instructions
Video Tutorials
----Site Info----
Sitemap
About/Contact
Privacy Policy
Search this site
FAQ

Subscribe to me on YouTube