Proactive IT Security
 

W32/Sality

Threat risk

Threat risk low
Detection files published:
20 Jan 2005
Description created:
2006-12-14
Description updated:
2006-12-14
Malware type:
Backdoor, Keylogger, Virus
Alias:
Spreading mechanism
File Infection, Network
Payload:
Attempts to steal information; download other malware; displays message; terminates security programs

Summary

This is a family of fileinfecting viruses with backdoor and keylogger capabilities. Some variants install a helper component in the Windows System folder. Names on this component vary by Sality variant:

SYSLIB32.DLL (All early versions)
OLEMDB32.DLL (Sality.M, version 3.03)
WMIMGR32.DLL (Sality.N, version 3.04)
VCMGRD32.DLL (Sality.P/Q, version 3.07)
VCMGCD32.DLL (Sality.R, version 3.09)
WDMFMC32.DLL (Sality.S, version 3.07)
...and others.

This DLL is then injected into running processes.


Spreading description

The virus family spreads primarily through infecting executable files on local and shared drives. It has been known to have been initially spread and downloaded by a number of Bagle-related malware. It specifically tries to infect files in the registry runkeys in order to become active on bootup.

Threat description

Sality will collect information from the infected machine, and attempt to mail this information out. The information gathered may contain

- operating system
- IP address
- Net share passwords
- Computer name
- Recently visited websites
- Dialup connection passwords
- Logged keystrokes
- Harvested email addresses

Some Sality variants will download other malware components from the web; these can be basically anything, ranging from other trojans and viruses to adware.

Sality will try to terminate several processes belonging to security programs.

On some occasions, Sality may display a message box saying

Title: Win32.HLLP.Kuku v<version number>
 <<<<< Hey, Lamer! Say "Bye-bye" to your data! >>>>>

Copyright (C) by Sector

Removal

First variant was added to definition files January 2005. SInce then, numerous other variants have been found and added to our defs.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page