Follow:

 

Virus:Win32/Sality.AT


Microsoft security software detects and removes this threat.

This virus stops some security software and prevents some Windows utilities from running. It also tries to download other files from a remote server, including other malware.

It spreads by infecting Windows files and copying itself to removable and remote drives.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

To recover your affected files you might need to re-install the affected software.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Enable the registry editor

This threat might prevent Registry Editor from running. To let the Registry Editor to run, follow these steps:

  1. Click Start then Run and type cmd to run a command prompt.
  2. In the command prompt, type the following and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit.
Recovering from recurring infections on a network

You might need to take the following steps to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:

  1. Ensure that an antivirus product is installed on all PCs connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. Use access control to restrict who can use files.
  4. Remove any unnecessary network shares or mapped drives.

It might also be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Remove program exceptions in the firewall

This threat might add itself to your Windows Firewall exception list. This means it can go online without being blocked. To remove it from the exception list, do the following:

For Windows 8 :

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
  2. In the left pane, tap or click let an app or feature through Windows Firewall.
  3. Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
  4. Select the check box next to the app you want to let, select the network types you want to let communication on, and then click OK.

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the menu on the left, select let a program through Windows Firewall. If you're prompted, type the password or provide confirmation.
  4. Click Change Settings. If you're prompted, type the password or provide confirmation.
  5. Select <program name> from the list of leted programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the menu on the left, select Windows Firewall.
  3. On the menu on the left, select let a program through Windows Firewall. If you are prompted, type the password or provide confirmation.
  4. Select <program name> from the list of leted programs and features. Click Delete.
  5. Click OK.
Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Threat behavior

Installation

Sality.AT drops a device driver as the following:

%SystemRoot%\system32\drivers\amsint32.sys

We detect this driver as Trojan:WinNT/Sality.

The virus creates and starts a system service named amsint32 to run the dropped driver component. Sality.AT communicates with the driver component to restore the system service descriptor table (SSDT).

Spreads via…

File infection

Sality.AT injects code into all running processes to load and run the virus and infect Windows executable files with extension .EXE or .SCR. The virus seeks other target files by reading file names found in the following registry subkeys:

  • HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Sality.AT does not infect files protected by SFC or if the file name starts with one of the following strings:

  • _AVPM.
  • A2GUARD.
  • AAVSHIELD.
  • AVAST
  • ADVCHK.
  • AHNSD.
  • AIRDEFENSE
  • ALERTSVC
  • ALOGSERV
  • ALSVC.
  • AMON.
  • ANTI-TROJAN.
  • AVZ.
  • ANTIVIR
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWUPDSV.
  • ATCON.
  • ATUPDATER.
  • ATWATCH.
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVESVC.
  • AVGAMSVR.
  • AVGCC.
  • AVGCC32.
  • AVGCTRL.
  • AVGEMC.
  • AVGFWSRV.
  • AVGNT.
  • AVGNTDD
  • AVGNTMGR
  • AVGSERV.
  • AVGUARD.
  • AVGUPSVC.
  • AVINITNT.
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVPM.
  • AVAST
  • AVSERVER.
  • AVSCHED32.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR9X.
  • AVXMONITORNT.
  • AVXQUAR.
  • BDMCON.
  • BDNEWS.
  • BDSUBMIT.
  • BDSWITCH.
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • CCAPP.
  • CCEVTMGR.
  • CCPROXY.
  • CCSETMGR.
  • CFIAUDIT.
  • CLAMTRAY.
  • CLAMWIN.
  • CLAW95.
  • CUREIT
  • DEFWATCH.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB32W.
  • DRWEBSCD.
  • DRWEBUPW.
  • DWEBLLIO
  • DWEBIO
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FILEMON
  • FIRESVC.
  • FIRETRAY.
  • FIREWALL.
  • FPAVUPDM.
  • FRESHCLAM.
  • EKRN.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • F-SCHED.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWAREMAIN.
  • GIANTANTISPYWAREUPDATER.
  • GUARDGUI.
  • GUARDNT.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • IFACE.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • ISAFE.
  • ISATRAY.
  • ISRV95.
  • ISSVC.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • KPFWSVC.
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTRTSCAN.
  • NTOS.
  • NTXCONFIG.
  • NUPGRADE.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • OUTPOST
  • OP_MON.
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PNMSRV.
  • POP3TRAP.
  • POPROXY.
  • PREVSRV.
  • PSIMSVC.
  • QHONLINE.
  • QHONSVC.
  • QHWSCSVC.
  • RAVMON.
  • RAVTIMER.
  • AVGNT
  • AVCENTER.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • RULAUNCH.
  • SALITY
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCANNINGPROCESS.
  • SDRA64.
  • SDHELP.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERCPL.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • SYMWSC.
  • SYNMGR.
  • TAUMON.
  • TBMON.
  • AVAST
  • TMLISTEN.
  • TMNTSRV.
  • TMPFW.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • UP2DATE.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCRMON.
  • VPTRAY.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBSCANX.
  • WEBTRAP.
  • WGFE95.
  • WINAW32.
  • WINROUTE.
  • WINSS.
  • WINSSNOTIFY.
  • WRCTRL.
  • XCOMMSVR.
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM

Removable and remote drives

Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:

The virus copies the infected file to the root of all remote and removable drives as one of the following:

  • \<random>.pif
  • \<random>.exe
  • \<random>.cmd

The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.

Payload

Prevents booting Windows in safe mode

Sality.AT recursviely deletes all registry values and data under the following registry subkeys, preventing you from starting Windows in safe mode:

  • HKLM\System\CurrentControlSet\Control\SafeBoot
  • HKCU\System\CurrentControlSet\Control\SafeBoot

Disables security monitoring software

Sality.AT reads the system service descriptor table (SSDT) directly from the NT kernel (ntoskrnl.exe) and passes the original SSDT to a buffer created by the driver component (Trojan:WinNT/Sality). System API calls to the SSDT are redirected to the clean version stored in the driver component. The behavior might block some HIPS or antivirus on-access detection methods that rely on SSDT hooks.

Deletes security-related files

This virus deletes security data files including security software detection database files or signatures that have the following file extensions found in all drives and network shares:

  • .AVC
  • .VDB

Stops security-related services

Win32/Sality tries to stop and delete the following security-related services:

  • Agnitum Client Security Service
  • ALG
  • Amon monitor
  • aswUpdSv
  • aswMon2
  • swRdr
  • aswSP
  • aswTdi
  • aswFsBlk
  • acssrv
  • AV Engine
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avast! Asynchronous Virus Monitor
  • avast! Self Protection
  • AVG E-mail Scanner
  • Avira AntiVir Premium Guard
  • Avira AntiVir Premium WebGuard
  • Avira AntiVir Premium MailGuard
  • AVP
  • avp1
  • BackWeb Plug-in - 4476822
  • bdss
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • COMODO Firewall Pro Sandbox Driver
  • cmdGuard
  • cmdAgent
  • Eset Service
  • Eset HTTP Server
  • Eset Personal Firewall
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • FSDFWD
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • Google Online Services
  • InoRPC
  • InoRT
  • InoTask
  • ISSVC
  • KPF4
  • KLIF
  • LavasoftFirewall
  • LIVESRV
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PAVFIRES
  • PAVFNSVR
  • PavProt
  • PavPrSrv
  • PAVSRV
  • PcCtlCom
  • PersonalFirewal
  • PREVSRV
  • ProtoPort Firewall service
  • PSIMSVC
  • RapApp
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpIDer FS Monitor for Windows NT
  • SpIDer Guard File System Monitor
  • SPIDERNT
  • Symantec Core LC
  • Symantec Password Validation
  • Symantec AntiVirus Definition Watcher
  • SavRoam
  • Symantec AntiVirus
  • Tmntsrv
  • TmPfw
  • tmproxy
  • tcpsr
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • VSSERV
  • WebrootDesktopFirewallDataService
  • WebrootFirewall
  • XCOMM

Stops security-related processes

Win32/Sality tries to stop security-related processes if their process name starts with any of these strings:

  • _AVPM.
  • A2GUARD.
  • AAVSHIELD.
  • AVAST
  • ADVCHK.
  • AHNSD.
  • AIRDEFENSE
  • ALERTSVC
  • ALOGSERV
  • ALSVC.
  • AMON.
  • ANTI-TROJAN.
  • AVZ.
  • ANTIVIR
  • APVXDWIN.
  • ARMOR2NET.
  • ASHAVAST.
  • ASHDISP.
  • ASHENHCD.
  • ASHMAISV.
  • ASHPOPWZ.
  • ASHSERV.
  • ASHSIMPL.
  • ASHSKPCK.
  • ASHWEBSV.
  • ASWUPDSV.
  • ATCON.
  • ATUPDATER.
  • ATWATCH.
  • AVCIMAN.
  • AVCONSOL.
  • AVENGINE.
  • AVESVC.
  • AVGAMSVR.
  • AVGCC.
  • AVGCC32.
  • AVGCTRL.
  • AVGEMC.
  • AVGFWSRV.
  • AVGNT.
  • AVGNTDD
  • AVGNTMGR
  • AVGSERV.
  • AVGUARD.
  • AVGUPSVC.
  • AVINITNT.
  • AVKSERV.
  • AVKSERVICE.
  • AVKWCTL.
  • AVP.
  • AVP32.
  • AVPCC.
  • AVPM.
  • AVAST
  • AVSERVER.
  • AVSCHED32.
  • AVSYNMGR.
  • AVWUPD32.
  • AVWUPSRV.
  • AVXMONITOR9X.
  • AVXMONITORNT.
  • AVXQUAR.
  • BDMCON.
  • BDNEWS.
  • BDSUBMIT.
  • BDSWITCH.
  • BLACKD.
  • BLACKICE.
  • CAFIX.
  • CCAPP.
  • CCEVTMGR.
  • CCPROXY.
  • CCSETMGR.
  • CFIAUDIT.
  • CLAMTRAY.
  • CLAMWIN.
  • CLAW95.
  • CUREIT
  • DEFWATCH.
  • DRVIRUS.
  • DRWADINS.
  • DRWEB32W.
  • DRWEBSCD.
  • DRWEBUPW.
  • DWEBLLIO
  • DWEBIO
  • ESCANH95.
  • ESCANHNT.
  • EWIDOCTRL.
  • EZANTIVIRUSREGISTRATIONCHECK.
  • F-AGNT95.
  • FAMEH32.
  • FILEMON
  • FIRESVC.
  • FIRETRAY.
  • FIREWALL.
  • FPAVUPDM.
  • FRESHCLAM.
  • EKRN.
  • FSAV32.
  • FSAVGUI.
  • FSBWSYS.
  • F-SCHED.
  • FSDFWD.
  • FSGK32.
  • FSGK32ST.
  • FSGUIEXE.
  • FSMA32.
  • FSMB32.
  • FSPEX.
  • FSSM32.
  • F-STOPW.
  • GCASDTSERV.
  • GCASSERV.
  • GIANTANTISPYWAREMAIN.
  • GIANTANTISPYWAREUPDATER.
  • GUARDGUI.
  • GUARDNT.
  • HREGMON.
  • HRRES.
  • HSOCKPE.
  • HUPDATE.
  • IAMAPP.
  • IAMSERV.
  • ICLOAD95.
  • ICLOADNT.
  • ICMON.
  • ICSSUPPNT.
  • ICSUPP95.
  • ICSUPPNT.
  • IFACE.
  • INETUPD.
  • INOCIT.
  • INORPC.
  • INORT.
  • INOTASK.
  • INOUPTNG.
  • IOMON98.
  • ISAFE.
  • ISATRAY.
  • ISRV95.
  • ISSVC.
  • KAV.
  • KAVMM.
  • KAVPF.
  • KAVPFW.
  • KAVSTART.
  • KAVSVC.
  • KAVSVCUI.
  • KMAILMON.
  • KPFWSVC.
  • MCAGENT.
  • MCMNHDLR.
  • MCREGWIZ.
  • MCUPDATE.
  • MCVSSHLD.
  • MINILOG.
  • MYAGTSVC.
  • MYAGTTRY.
  • NAVAPSVC.
  • NAVAPW32.
  • NAVLU32.
  • NAVW32.
  • NEOWATCHLOG.
  • NEOWATCHTRAY.
  • NISSERV
  • NISUM.
  • NMAIN.
  • NOD32
  • NORMIST.
  • NOTSTART.
  • NPAVTRAY.
  • NPFMNTOR.
  • NPFMSG.
  • NPROTECT.
  • NSCHED32.
  • NSMDTR.
  • NSSSERV.
  • NSSTRAY.
  • NTRTSCAN.
  • NTOS.
  • NTXCONFIG.
  • NUPGRADE.
  • NVCOD.
  • NVCTE.
  • NVCUT.
  • NWSERVICE.
  • OFCPFWSVC.
  • OUTPOST
  • OP_MON.
  • PAVFIRES.
  • PAVFNSVR.
  • PAVKRE.
  • PAVPROT.
  • PAVPROXY.
  • PAVPRSRV.
  • PAVSRV51.
  • PAVSS.
  • PCCGUIDE.
  • PCCIOMON.
  • PCCNTMON.
  • PCCPFW.
  • PCCTLCOM.
  • PCTAV.
  • PERSFW.
  • PERTSK.
  • PERVAC.
  • PNMSRV.
  • POP3TRAP.
  • POPROXY.
  • PREVSRV.
  • PSIMSVC.
  • QHONLINE.
  • QHONSVC.
  • QHWSCSVC.
  • RAVMON.
  • RAVTIMER.
  • AVGNT
  • AVCENTER.
  • RFWMAIN.
  • RTVSCAN.
  • RTVSCN95.
  • RULAUNCH.
  • SALITY
  • SAVADMINSERVICE.
  • SAVMAIN.
  • SAVPROGRESS.
  • SAVSCAN.
  • SCANNINGPROCESS.
  • SDRA64.
  • SDHELP.
  • SHSTAT.
  • SITECLI.
  • SPBBCSVC.
  • SPHINX.
  • SPIDERCPL.
  • SPIDERML.
  • SPIDERNT.
  • SPIDERUI.
  • SPYBOTSD.
  • SPYXX.
  • SS3EDIT.
  • STOPSIGNAV.
  • SWAGENT.
  • SWDOCTOR.
  • SWNETSUP.
  • SYMLCSVC.
  • SYMPROXYSVC.
  • SYMSPORT.
  • SYMWSC.
  • SYNMGR.
  • TAUMON.
  • TBMON.
  • AVAST
  • TMLISTEN.
  • TMNTSRV.
  • TMPFW.
  • TMPROXY.
  • TNBUTIL.
  • TRJSCAN.
  • UP2DATE.
  • VBA32ECM.
  • VBA32IFS.
  • VBA32LDR.
  • VBA32PP3.
  • VBSNTW.
  • VCRMON.
  • VPTRAY.
  • VRFWSVC.
  • VRMONNT.
  • VRMONSVC.
  • VRRW32.
  • VSECOMR.
  • VSHWIN32.
  • VSMON.
  • VSSERV.
  • VSSTAT.
  • WATCHDOG.
  • WEBSCANX.
  • WEBTRAP.
  • WGFE95.
  • WINAW32.
  • WINROUTE.
  • WINSS.
  • WINSSNOTIFY.
  • WRCTRL.
  • XCOMMSVR.
  • ZAUINST
  • ZLCLIENT
  • ZONEALARM

Additionally, Sality.AT kills processes that have following modules loaded:

  • DWEBLLIO
  • DWEBIO

Changes Windows settings

Sality.AT changes the registry to disable Windows Registry Editor:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
Sets value: "DisableRegistryTools"
With data: "1"

The virus changes the registry to prevent viewing files with hidden attributes.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Sets value: "Hidden"
With data: "2"

Lowers PC security

Sality.AT changes the registry to bypass the Windows firewall.

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<virus file name>:*:enabled:ipsec"
With data: "<virus file name>"

The virus changes other registry data that lower the security of the infected PC. Sality.AT changes the following registry data to change Windows Security Center and Windows Firewall settings.

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusDisableNotify"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "FirewallOverride"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "FirewallDisableNotify"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value "EnableFirewall"
With data: "0"

Downloads files

Sality.AT tries to download files from remote servers to the local drive, then decrypts and runs the downloaded files. We have observed the virus to connect to the following servers:

  • www.klkjwre9fqwieluoi.info
  • kukutrustnet777888.info
  • klkjwre77638dfqwieuoi888.info
  • 89.119.67.154
  • kukutrustnet777.info
  • kukutrustnet888.info
  • kukutrustnet987.info

At the time of this writing, retrieved files were identified as the following:

Analysis by Shawn Wang and Hamish O'Dea


Symptoms

The following could indicate that you have this threat on your PC:

  • Certain security-related applications, processes or services might suddenly close or end, or may not run at all
  • You can't run Windows Registry Editor
  • You have this file:
    %SystemRoot%\system32\drivers\amsint32.sys

Prevention


Alert level: Severe
First detected by definition: 1.79.247.0
Latest detected by definition: 1.183.2472.0 and higher
First detected on: Mar 20, 2010
This entry was first published on: Apr 26, 2010
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • W32/Sality.B.gen!Eldorado (Command)
  • W32/Sality.AT (Avira)
  • Win32/Sality.AA (CA)
  • Win32.Sector.21 (Dr.Web)
  • Win32/Sality.NBA (ESET)
  • Trojan.Win32.Vilsel.vyy (Kaspersky)
  • W32/Sality.gen.e (McAfee)
  • W32/Sality.BD (Norman)
  • W32/Spamta.QO.worm (Panda)
  • Win32.KUKU.kj (Rising AV)
  • Troj/SalLoad-A (Sophos)
  • PE_SALITY.BA (Trend Micro)