Content

W32/Sality.t

Type
Virus
SubType
Win32
Discovery Date
05/24/2006
Length
Varies
Minimum DAT
4769 (05/24/2006)
Updated DAT
5225 (02/07/2008)
Minimum Engine
5.1.00
Description Added
05/24/2006
Description Modified
06/05/2006 3:49 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The W32/Sality.t detection bears the following characteristics:

  • Injects the wdmfmc32.dll file into running processes
  • Creates the following mutex:
    • KUKU300a
    • KUKU301a
    • uku_joker_v3.06
  • Infects PE executable files 
  • Attempts to contact a remote website to test internet connectivity 
  • Deletes files which contains following strings in its filenames.
    • KAV
    • ANTI
    • SCAN
    • ZONE
    • ANDA
    • TROJ
    • TREN
    • ALER
    • CLEAN
    • OUTP
    • GUAR
    • TOTAL

Symptoms

  • Existence of the files mentioned
  • Existence of larger executable files due to the parasitic infection

Method of Infection

This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.

It replaces the original code at the entry point with viral code and stores an encrypted copy of the original code in the appended space of the file. Due to a bug in the virus, it may cause certain PE files to be corrupted.

Removal

Variants

Variants

    N/A

All Information

Overview -

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.  This virus also attempts to disable certain security programs by deleting the executable file.

Characteristics

Characteristics -

The W32/Sality.t detection bears the following characteristics:

  • Injects the wdmfmc32.dll file into running processes
  • Creates the following mutex:
    • KUKU300a
    • KUKU301a
    • uku_joker_v3.06
  • Infects PE executable files 
  • Attempts to contact a remote website to test internet connectivity 
  • Deletes files which contains following strings in its filenames.
    • KAV
    • ANTI
    • SCAN
    • ZONE
    • ANDA
    • TROJ
    • TREN
    • ALER
    • CLEAN
    • OUTP
    • GUAR
    • TOTAL

Symptoms

Symptoms -

  • Existence of the files mentioned
  • Existence of larger executable files due to the parasitic infection

Method of Infection

Method of Infection -

This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.

It replaces the original code at the entry point with viral code and stores an encrypted copy of the original code in the appended space of the file. Due to a bug in the virus, it may cause certain PE files to be corrupted.

Removal -

Removal -

Variants

Variants -

    N/A