Follow:

 

Virus:Win32/Sality


Microsoft security software detects and removes this threat.
 
Threats in this family can:
  • Stop your security software from running
  • Steal your sensitive information
  • Download and run other files
  • Delete security-related files from your PC
  • Lower your PC security settings

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Virus:Win32/Sality is a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They can run a damaging payload that deletes files with certain extensions and stops security-related processes and services.
Installation 

Win32/Sality's main method of installation is by infecting files on the local system. Most variants employ a DLL that is dropped once on each infected machine. The DLL is written to disk in two forms, for example:

The file with the extension '.dl_' is a compressed copy of the DLL. The DLL contains the bulk of the virus's code.

Recent variants of Sality, such as Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk.
Spreads Via...
File infection 
 
Virus:Win32/Sality usually targets all files in drive C: that have .EXE or .SCR file extensions, beginning with the root folder. Infected files increase in size by a varying amount.
Payload
Deletes security-related files

Sality variants usually attempt to delete files related to anti-virus updates, such as those with the following file extensions:

  • .AVC
  • .KEY
  • .VDB

Stops security-related processes 

Win32/Sality commonly searches for and tries to stop security applications, particularly anti-virus and personal firewall programs. It also deletes particular security-related services.
 
Steals sensitive information

Some Virus:Win32/Sality variants can steal cached passwords and log keystrokes entered on the infected system.
 
Downloads and runs files

Win32/Sality variants usually attempt to download and run other files. They may first try to connect to www.microsoft.com in order to check for Internet connectivity.
 
Lowers computer security
 
Win32/Sality variants may modify the computer registry to lower security in Microsoft Windows. The following changes have been observed in several common variants of Win32/Sality:
 
  • Disables User Account Control (UAC)
    Modifies value: EnableLUA
    With data: "0"
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • Modifies Windows Firewall to allow Internet communication by Win32/Sality
    Adds value: <Win32/Sality file name>
    With data: "<Win32/Sality file name>:*:enabled:ipsec"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • Disables Windows Firewall
    Modifies value: EnableFirewall
    With data: "0"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile
  • Redirects NETSH event tracing session logging
    Modifies value: LogSessionName
    With data: "stdout"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • Turns off monitoring installed Antivirus software within Microsoft Security Center
    Modifies value: AntiVirusOverride
    With data: "1"
    In subkeys:
    HKLM\SOFTWARE\Microsoft\Security Center
    HKLM\SOFTWARE\Microsoft\Security Center\Svc
  • Disable Windows Task Manager
    Modifies value: DisableTaskMgr
    With data: "1"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • Turns "Offline Mode" off in Microsoft Internet Explorer
    Modifies value: GlobalUserOffline
    With data: "0"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • Allows hidden files to remain hidden
    Modifies value: Hidden
    With data: "2"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
     
    <system folder>\wmdrtc32.dll
    <system folder>\wmdrtc32.dl_
  • Infected files may unexpectedly increase in size
  • Antivirus and firewall applications may fail to function

Prevention


Alert level: Severe
First detected by definition: 1.109.1459.0
Latest detected by definition: 1.143.79.0 and higher
First detected on: Aug 10, 2011
This entry was first published on: Jul 08, 2008
This entry was updated on: Nov 07, 2014

This threat is also detected as:
No known aliases