Microsoft security software detects and removes this threat.

This virus is a member of the Win32/Sality family. This family can delete Windows files with the extensions .scr or .exe.

They can also end or close antivirus software and other security-related processes and services.

There is more information in the Win32/Sality description.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Use Windows Defender Offline

This threat can make it difficult for you to download, install or update your virus protection, whether you have an antivirus product such as Microsoft Security Essentials installed on your computer or not.

If you have been infected with this threat, we recommend using Windows Defender Offline to detect and remove it.

Windows Defender Offline is a standalone tool that contains the latest antivirus updates from Microsoft.

It is not a replacement for a full antivirus solution that provides ongoing protection. It is meant to be used in situations where you cannot start or scan your computer because it is infected with malware that prevents antivirus products from working normally.

Before you begin you will need:

  • A computer that is not infected and is connected to the Internet. You will use this computer to download a copy of Windows Defender Offline
  • A blank CD, DVD or USB drive (also known as a USB key or thumb drive). You will use this CD, DVD or USB drive to run the tool on your infected computer

Follow these steps to use Windows Defender Offline:

  1. Use an uninfected computer to download a copy of the tool from here: Windows Defender Offline

    In order for the recovery tool to be effective, make sure you download the version that matches the your infected computer. For example, your desktop computer has been infected with malware. The computer is running a 64-bit version of Windows. Your friend's laptop, however, is not infected, and so you use that to download Windows Defender Offline. Your friend's laptop is running a 32-bit version of Windows, so when you download the tool, you choose the 64-bit version, because that is the version that matches your computer

  2. Install the tool on a blank CD, DVD, or USB drive
  3. Insert the CD, DVD, or USB drive into your infected computer and run the tool
  4. Let the tool clean your computer and remove any infections it finds

After running the tool, ensure that your antivirus product is up-to-date. You can update Microsoft security products by downloading the latest definitions at this link: Get the latest definitions. You can Use the Microsoft Safety Scanner if you suspect you are infected but are unable to confirm this with your existing antivirus software.

For detailed instructions on using Windows Defender Offline, see the Microsoft Security Blog post Microsoft's Free Security Tools - Windows Defender Offline.

Threat behavior

Virus:Win32/Sality.G.dll is a member of the Win32/Sality family, a family of polymorphic file infectors that target Windows files with the extensions .scr or .exe. They may delete files with certain extensions and end or close antivirus and other security-related processes and services.

There is more information about in the Win32/Sality description.


Virus:Win32/Sality.G.dll infects files, which, once infected, are detected as Virus:Win32/Sality.G.

The virus might be dropped and loaded as %SystemRoot%\system32\wmimgr32.dll by a component of Virus:Win32/Sality.G.

Virus:Win32/Sality.G.dll is loaded into other processes by installing a message hook (a function that enables Virus:Win32/Sality.G to load itself into other processes).

It creates a mutex named "kuku_joker_v3.04" to prevent more than one instance of itself running om your computer at any one time.

Spreads via…

File infection / network shares

Virus:Win32/Sality.G.dll tries to infect files with extension ".EXE" and ".SCR" from local drives and network shares. However, files protected by SFC (System File Check) or those file names that contain the following (often security-related) strings will not be infected:

  • ALER
  • ANDA
  • ANTI
  • AVP
  • GUAR
  • KAV
  • NOD
  • OUTP
  • SCAN
  • TREN
  • TROJ
  • ZONE

Downloads files

In the wild, we've observed the virus contacting hackers at the following domains to download files which it then saves to the %TEMP% folder:


Steals sensitive information

Worm:Win32/Sality.G.dll has been observed stealing information, including but not limited to the following:

  • Passwords stored in your temporary Internet files
  • Information about your computer
  • Keystrokes you make

It then sends this information to a hacker at one of the domains from which it downloads files (see above).

Deletes files

Virus:Win32/Sality.G.dll tries to delete files with following extensions:

  • .avc
  • .key
  • .tjc
  • .vdb

And will also attempt to delete files that contain the following (often security-related) strings:

  • ALER
  • ANDA
  • ANTI
  • GUAR
  • OUTP
  • SCAN
  • TREN
  • TROJ
  • ZONE

Analysis by Shawn Wang, Gabriel Plouffe, Duc Nguyen & Edgardo Diaz Jr


System changes

The following changes to your computer may indicate the presence of Virus:Win32/Sality.G.dll:

  • Infected files may unexpectedly increase in size
  • Antimalware and firewall applications may not work properly


Alert level: Severe
First detected by definition: 1.157.1086.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Sep 04, 2013
This entry was first published on: Apr 28, 2010
This entry was updated on: Sep 18, 2013

This threat is also detected as:
  • Win32/Sality.F (AhnLab)
  • W32/Sality.k (Command)
  • Trojan.Win32.Scar.bxqc (Kaspersky)
  • W32/Sality.n (Norman)
  • Win32.Sality.L (VirusBuster)
  • Virus found Win32/Sality (AVG)
  • W32/Sality.l (Avira)
  • Win32/Sality.J (CA)
  • Trojan.MulDrop.55658 (Dr.Web)
  • Win32/Sality.NAE (ESET)
  • Virus.Win32.Flot (Ikarus)
  • Trojan.Win32.Scar.bxqc (Kaspersky)
  • Infected: Virus:Win32/Sality.gen!enc (Microsoft)
  • W32/Sality.O (Panda)
  • Win32.Sality (Rising AV)
  • W32/Sality-AI (Sophos)
  • Win32.Sality.AE (Sunbelt Software)
  • W32.HLLP.Sality.O (Symantec)
  • PE_SALITY.AE (Trend Micro)