Microsoft security software detects and removes this threat.
This virus stops some security software and prevents some Windows utilities from running. It also tries to download other files from a remote server, including other malware.
It spreads by infecting Windows files and copying itself to removable and remote drives.
Find out ways that malware can get on your PC.
Use the following free Microsoft software to detect and remove this threat:
You should also run a full scan. A full scan might find other, hidden malware.
To recover your affected files you might need to re-install the affected software.
This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:
Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:
This threat might prevent Registry Editor from running. To let the Registry Editor to run, follow these steps:
You might need to take the following steps to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
It might also be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
This threat might add itself to your Windows Firewall exception list. This means it can go online without being blocked. To remove it from the exception list, do the following:
For Windows 8
For Windows 7:
For Windows Vista:
This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:
Sality.AT drops a device driver as the following:
We detect this driver as Trojan:WinNT/Sality.
The virus creates and starts a system service named amsint32 to run the dropped driver component. Sality.AT communicates with the driver component to restore the system service descriptor table (SSDT).
Sality.AT injects code into all running processes to load and run the virus and infect Windows executable files with extension .EXE or .SCR. The virus seeks other target files by reading file names found in the following registry subkeys:
Sality.AT does not infect files protected by SFC or if the file name starts with one of the following strings:
Removable and remote drives
Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:
The virus copies the infected file to the root of all remote and removable drives as one of the following:
The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.
Prevents booting Windows in safe mode
Sality.AT recursviely deletes all registry values and data under the following registry subkeys, preventing you from starting Windows in safe mode:
Disables security monitoring software
Sality.AT reads the system service descriptor table (SSDT) directly from the NT kernel (ntoskrnl.exe) and passes the original SSDT to a buffer created by the driver component (Trojan:WinNT/Sality). System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior might block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.
Deletes security-related files
This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:
Stops security-related services
Win32/Sality tries to stop and delete the following security-related services:
Stops security-related processes
Win32/Sality tries to stop security-related processes if their process name starts with any of these strings:
Additionally, Sality.AT kills processes that have following modules loaded:
Changes Windows settings
Sality.AT changes the registry to disable Windows Registry Editor:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\systemSets value: "DisableRegistryTools"With data: "1"
The virus changes the registry to prevent viewing files with hidden attributes.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\ExplorerSets value: "Hidden"With data: "2"
Lowers PC security
Sality.AT changes the registry to bypass the Windows firewall.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListSets value: "<virus file name>:*:enabled:ipsec"With data: "<virus file name>"
The virus changes other registry data that lower the security of the infected PC. Sality.AT changes the following registry data to change Windows Security Center and Windows Firewall settings.
In subkey: HKLM\SOFTWARE\Microsoft\Security CenterSets value: "AntiVirusOverride"With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\SvcSets value: "AntiVirusOverride"With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\SvcSets value: "AntiVirusDisableNotify"With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\SvcSets value: "FirewallOverride"With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\SvcSets value: "FirewallDisableNotify"With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileSets value "EnableFirewall"With data: "0"
Sality.AT tries to download files from remote servers to the local drive, then decrypts and runs the downloaded files. We have observed the virus to connect to the following servers:
At the time of this writing, retrieved files were identified as the following:
Analysis by Shawn Wang and Hamish O'Dea
The following could indicate that you have this threat on your PC:
Take these steps to help prevent infection on your PC.
I want to...
Remove difficult malware
Avoid tech support phone scams
See and search the latest threats
Find answers to other problems
Fix updates and solve other problems
See common error codes
Get the latest updates
Find the right security software
Download security software
Send us a malware file
Software developer dispute
Please note: While your feedback is very important to us, we do
not respond to individual submissions through this channel. Feedback, requests,
or questions submitted through this form are monitored, however responses are not
generated. If you require support, please visit the
Safety & Security Center.