Virus:Win32/Sality is a family of polymorphic file infectors that target Windows executable files with the extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

System changes

The following system changes may indicate the presence of Virus:Win32/Sality:

• The presence of the following files:
  <system folder>\wmdrtc32.dll
  <system folder>\wmdrtc32.dl_
• Infected files may unexpectedly increase in size
• Antivirus and firewall applications may fail to function
• Windows Task Manager and Windows Registry Editor may be disabled
• There is encrypted UDP traffic originating from unexpected applications

Win32/Sality is a family of polymorphic file infectors that target Windows executable files with the extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

Installation

Win32/Sality infects files in the affected computer. Most variants use a DLL that is dropped once in each computer. The DLL file is written to disk in two forms, for example:

• <system folder>\wmdrtc32.dll
• <system folder>\wmdrtc32.dl_

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The DLL file itself contains the bulk of the virus code. The file with the extension ".dl_" is its compressed copy.

Recent variants of Sality, such as Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder "<system folder>\drivers". The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.

Sality may arrive in the computer by being dropped by other malware. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.

Spreads via...

File infection

Win32/Sality usually targets all files in drive C: that have .EXE or .SCR file extensions, beginning with the root folder. Infected files increase in size by a varying amount.

The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys:

• HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Win32/Sality avoids infecting particular files, in order to remain hidden in the computer:

• Files protected by System File Checker (SFC)
• Files under the %SystemRoot% folder
• Executables of several antivirus and firewall products; it ignores files with names containing any of the following substrings:
  _AVPM.
  A2GUARD.
  AAVSHIELD.
  ADVCHK.
  AHNSD.
  AIRDEFENSE
  ALERTSVC
  ALOGSERV
  ALSVC.
  AMON.
  ANTI-TROJAN.
  ANTIVIR
  APVXDWIN.
  ARMOR2NET.
  ASHAVAST.
  ASHDISP."
  ASHENHCD.
  ASHMAISV.
  ASHPOPWZ.
  ASHSERV.
  ASHSIMPL.
  ASHSKPCK.
  ASHWEBSV.
  ASWUPDSV.
  ATCON.
  ATUPDATER.
  ATWATCH.
  AVAST
  AVCENTER.
  AVCIMAN.
  AVCONSOL.
  AVENGINE.
  AVESVC.
  AVGAMSVR.
  AVGCC.
  AVGCC32.
  AVGCTRL.
  AVGEMC.
  AVGFWSRV.
  AVGNT
  AVGNT.
  AVGNTDD
  AVGNTMGR
  AVGSERV.
  AVGUARD.
  AVGUPSVC.
  AVINITNT.
  AVKSERV.
  AVKSERVICE.
  AVKWCTL.
  AVP.
  AVP32.
  AVPCC.
  AVPM.
  AVSCHED32.
  AVSERVER.
  AVSYNMGR.
  AVWUPD32.
  AVWUPSRV.
  AVXMONITOR9X.
  AVXMONITORNT.
  AVXQUAR.
  AVZ.
  BDMCON.
  BDNEWS.
  BDSUBMIT.
  BDSWITCH.
  BLACKD.
  BLACKICE.
  CAFIX.
  CCAPP.
  CCEVTMGR.
  CCPROXY.
  CCSETMGR.
  CFIAUDIT.
  CLAMTRAY.
  CLAMWIN.
  CLAW95.
  CUREIT
  DEFWATCH.
  DRVIRUS.
  DRWADINS.
  DRWEB32W.
  DRWEBSCD.
  DRWEBUPW.
  DWEBIO
  DWEBLLIO
  EKRN.
  ESCANH95.
  ESCANHNT.
  EWIDOCTRL.
  EZANTIVIRUSREGISTRATIONCHECK.
  F-AGNT95.
  F-PROT95.
  F-SCHED.
  F-STOPW.
  FAMEH32.
  FILEMON
  FIRESVC.
  FIRETRAY.
  FIREWALL.
  FPAVUPDM.
  FRESHCLAM.
  FSAV32.
  FSAVGUI.
  FSBWSYS.
  FSDFWD.
  FSGK32.
  FSGK32ST.
  FSGUIEXE.
  FSMA32.
  FSMB32.
  FSPEX.
  FSSM32.
  GCASDTSERV.
  GCASSERV.
  GIANTANTISPYWAREMAIN.
  GIANTANTISPYWAREUPDATER.
  GUARDGUI.
  GUARDNT.
  HREGMON.
  HRRES.
  HSOCKPE.
  HUPDATE.
  IAMAPP.
  IAMSERV.
  ICLOAD95.
  ICLOADNT.
  ICMON.
  ICSSUPPNT.
  ICSUPP95.
  ICSUPPNT.
  IFACE.
  INETUPD.
  INOCIT.
  INORPC.
  INORT.
  INOTASK.
  INOUPTNG.
  IOMON98.
  ISAFE.
  ISATRAY.
  ISRV95.
  ISSVC.
  KAV.
  KAVMM.
  KAVPF.
  KAVPFW.
  KAVSTART.
  KAVSVC.
  KAVSVCUI.
  KMAILMON.
  KPFWSVC.
  MCAGENT.
  MCMNHDLR.
  MCREGWIZ.
  MCUPDATE.
  MCVSSHLD.
  MINILOG.
  MYAGTSVC.
  MYAGTTRY.
  NAVAPSVC.
  NAVAPW32.
  NAVLU32.
  NAVW32.
  NEOWATCHLOG.
  NEOWATCHTRAY.
  NISSERV
  NISUM.
  NMAIN.
  NOD32
  NORMIST.
  NOTSTART.
  NPAVTRAY
  NPFMNTOR.
  NPFMSG.
  NPROTECT.
  NSCHED32.
  NSMDTR.
  NSSSERV.
  NSSTRAY.
  NTOS.
  NTRTSCAN.
  NTXCONFIG.
  NUPGRADE.
  NVCOD.
  NVCTE.
  NVCUT.
  NWSERVICE.
  OFCPFWSVC.
  OP_MON.
  OUTPOST
  PAVFIRES.
  PAVFNSVR.
  PAVKRE.
  PAVPROT.
  PAVPROXY.
  PAVPRSRV.
  PAVSRV51.
  PAVSS.
  PCCGUIDE.
  PCCIOMON.
  PCCNTMON.
  PCCPFW.
  PCCTLCOM.
  PCTAV.
  PERSFW.
  PERTSK.
  PERVAC.
  PNMSRV.
  POP3TRAP.
  POPROXY.
  PREVSRV.
  PSIMSVC.
  QHM32.
  QHONLINE.
  QHONSVC.
  QHPF.
  QHWSCSVC.
  RAVMON.
  RAVTIMER.
  RFWMAIN.
  RTVSCAN.
  RTVSCN95.
  RULAUNCH.
  SALITY
  SAVADMINSERVICE.
  SAVMAIN.
  SAVPROGRESS.
  SAVSCAN.
  SCANNINGPROCESS.
  SDHELP.
  SHSTAT.
  SITECLI.
  SPBBCSVC.
  SPHINX.
  SPIDERCPL.
  SPIDERML.
  SPIDERNT.
  SPIDERUI.
  SPYBOTSD.
  SPYXX.
  SS3EDIT.
  STOPSIGNAV.
  SWAGENT.
  SWDOCTOR.
  SWNETSUP.
  SYMLCSVC.
  SYMPROXYSVC.
  SYMSPORT.
  SYMWSC.
  SYNMGR.
  TAUMON.
  TBMON.
  TFAK.
  THAV.
  THSM.
  TMAS.
  TMLISTEN.
  TMNTSRV.
  TMPFW.
  TMPROXY.
  TNBUTIL.
  TRJSCAN.
  UP2DATE.
  VBA32ECM.
  VBA32IFS.
  VBA32LDR.
  VBA32PP3.
  VBSNTW.
  VCHK.
  VCRMON.
  VETTRAY.
  VIRUSKEEPER.
  VPTRAY.
  VRFWSVC.
  VRMONNT.
  VRMONSVC.
  VRRW32.
  VSECOMR.
  VSHWIN32.
  VSMON.
  VSSERV.
  VSSTAT.
  WATCHDOG.
  WEBPROXY.
  WEBSCANX.
  WEBTRAP.
  WGFE95.
  WINAW32.
  WINROUTE.
  WINSS.
  WINSSNOTIFY.
  WRCTRL.
  XCOMMSVR.
  ZAUINST.
  ZLCLIENT.
  ZONEALARM.

Spreads via removable drives and network shares

Some Sality can infect legitimate files, which are then moved to available removable drives and network shares.

One of the following legitimate files, if it exists, is copied into the the Temporary Files folder, then infected:

• <system folder>\NOTEPAD.EXE
• <system folder>\WINMINE.EXE
• <system folder>\TELNET.EXE

The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:

• \<random file name>.pif
• \<random file name>.exe
• \<random file name>.cmd

The Sality variant also creates an "autorun.inf" file in the root of all these drives that points to the virus copy. When a drive is accessed from a computer supporting the Autorun feature, the virus is then launched automatically.

Payload

Deletes security-related files

Sality variants usually attempt to delete files related to antivirus updates, such as those with the following file extensions:

• .AVC
• .KEY
• .VDB

Terminates security-related processes

Win32/Sality commonly searches for and attempts to terminate security applications, particularly antivirus and personal firewall programs. It attempts to terminate security applications containing the same strings as the files it avoids infecting in the Spreads via... File infection section.

It may also terminate the following security-related services:

acssrv
Agnitum Client Security Service
ALG
Amon monitor
aswFsBlk
aswMon2
aswRdr
aswSP
aswTdi
aswUpdSv
AV Engine
avast! Antivirus
avast! Asynchronous Virus Monitor
avast! iAVS4 Control Service
avast! Mail Scanner
avast! Self Protection
avast! Web Scanner
AVG E-mail Scanner
Avira AntiVir Premium Guard
Avira AntiVir Premium MailGuard
Avira AntiVir Premium WebGuard
AVP
avp1
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
cmdAgent
cmdGuard
COMODO Firewall Pro Sandbox Driver
Eset HTTP Server
Eset Personal Firewall
Eset Service
F-Prot Antivirus Update Monitor
F-Secure Gatekeeper Handler Starter
fsbwsys
FSDFWD
FSMA
Google Online Services
InoRPC
InoRT
InoTask
ISSVC
KLIF
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SavRoam
SmcService
SNDSrvc
SPBBCSvc
SpIDer FS Monitor for Windows NT
SpIDer Guard File System Monitor
SPIDERNT
Symantec AntiVirus
Symantec AntiVirus Definition Watcher
Symantec Core LC
Symantec Password Validation
tcpsr
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM

Blocks access to security-related domains

Some Win32/Sality variants block access to any URL containing any of these substrings:

agnmitum
bitdefender
cureit
drweb
eset.com
etrust.com
ewido
f-secure
kaspersky
mcafee
onlinescan.
pandasoftware
sality-remov
sophos
spywareguide
spywareinfo
symantec
trendmicro
upload_virus
virusinfo
virusscan
virustotal
windowsecurity

Steals sensitive information

Some Win32/Sality variants can steal cached passwords and log keystrokes entered on the affected computer.

Downloads and executes arbitrary files

Win32/Sality variants usually attempt to download and execute other files. They may first attempt to connect to "www.microsoft.com" to check for Internet connectivity.

The files are downloaded into the Windows Temporary Files folder and decrypted using one of several hardcoded passwords, which include:

• kukutrusted!.
• GdiPlus.dll

The following is a list of domains to which Win32/Sality might connect to and download files from:

89.11<removed>.67.154
antes<removed>t.czechian.net
balsf<removed>kewo7i487fksd.info
bcash<removed>ddt.net
bclr-<removed>ash.net
bddr-<removed>ash.net
bjerm<removed>mass.hc.ru
bmake<removed>egood24.com
bmone<removed>-frn.net
bperf<removed>ctchoice1.com
bpowq<removed>vcfds677.info
btrn-<removed>ash.net
buynv<removed>96.info
bxxxl<removed>cash.net
energ<removed>tixjewelry.com
klkjw<removed>e9fqwieluoi.info
kukut<removed>ustnet777.info
kukut<removed>ustnet888.info
kukut<removed>ustnet987.info
lpbmx<removed>ru
mattf<removed>ll.eu.interia.pl
mikee<removed>ents.go.ro
mmimu<removed>soorie.com
ocean<removed>nfo.co.kr
pinga<removed>sh.com
railw<removed>yservices.be
sahil<removed>.sa.ohost.de
senaa<removed>to.ge
st1.d<removed>st.su.lt
yucel<removed>avdar.com
ziyag<removed>kalpilkogretim72.meb.k12.tr

Injects code into running processes

Most of the payload of Win32/Sality is executed in the context of other processes. It makes cleaning harder and allows the malware to bypass some firewalls. To avoid multiple injections in the same process, a system-wide mutex called "<process name>.exeM_<process ID>_" is created for every process in which code is injected.

Prevents Windows from booting up in Safe Mode

Win32/Sality variants recursively delete all registry values and data under the following registry subkeys, preventing the user from starting Windows in safe mode:

• HKCU\System\CurrentControlSet\Control\SafeBoot
• HKLM\System\CurrentControlSet\Control\SafeBoot

Drops other components

Some variants of Win32/Sality drop a driver with a random file name in the folder "<system folder>\drivers. The driver is detected as Trojan:WinNT/Sality. Its purpose is to:

• Terminate security-related processes - Trojan:WinNT/Sality kills processes from kernel mode to bypass the self-protection of some antivirus programs
• Block access to security-related websites - Trojan:WinNT/Sality registers a callback function to the IP filter driver. From the callback, it denies access to a list of harcoded URLs. This technique works only on Windows XP, Windows 2003, and Windows 2000
• Disable SSDT hooks - Trojan:WinNT/Sality removes SSDT hooks to prevent certain security software from working properly

Modifies %SystemRoot%\system.ini

Win32/Sality adds the following section to the configuration file "%SystemRoot%\system.ini". The section acts as an infection marker:

[MCIDRV_VER]
DEVICEMB=<random string>

Connects to a P2P network

Computers infected with the latest versions of Win32/Sality, such as Virus:Win32/Sality.AT, and Virus:Win32/Sality.AU, connect to other infected computers by joining a peer-to-peer;(P2P) network. From other computers in the P2P network, they receive URLs pointing to additional malware components.

The P2P protocol runs over UDP. All the messages exchanged on the P2P network are encrypted. The local UDP port number used to connect to the network is generated as a function of the computer name.

Lowers computer security

Win32/Sality variants may modify the computer registry to lower Windows security. The following changes have been observed in several common variants:

• Disables User Account Control(UAC):
  In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
  Sets value: "EnableLUA"
  With data: "0"
• Modifies Windows Firewall to allow Internet communication:
  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  Sets value: "<Win32/Sality file name>"
  With data: "<Win32/Sality file name>:*:enabled:ipsec"
• Disables Windows Firewall via the registry:
  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  Sets value: "EnableFirewall"
  With data: "0"
• Runs "netsh" to disable Windows Firewall:
  netsh firewall set opmode disable
• Redirects NETSH event tracing session logging:
  In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  Sets value: "LogSessionName"
  With data: "stdout"
• Turns off monitoring the installed antivirus software from within the Microsoft Security Center:
  In subkeys:
  HKLM\SOFTWARE\Microsoft\Security Center
  HKLM\SOFTWARE\Microsoft\Security Center\Svc
  Sets value: "AntiVirusOverride"
  With data: "1"
• Turns off security alerts in Windows Security Center:
  In subkeys:
  HKLM\SOFTWARE\Microsoft\Security Center
  HKLM\SOFTWARE\Microsoft\Security Center\Svc
  Sets values:
  "FirewallDisableNotify"
  "UacDisableNotify"
  "UpdatesDisableNotify"
  With data: "1"
• Disables Windows Task Manager:
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
  Sets value: "DisableTaskMgr"
  With data: "1"
• Turns "Offline Mode" off in Microsoft Internet Explorer:
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Sets value: "GlobalUserOffline"
  With data: "0"
• Allows hidden files to remain hidden:
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  Sets value: "Hidden"
  With data: "2"
• Prevents access to registry editing tools such as "regedit":
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
  Sets value: "DisableRegistryTools"
  With data: "1"

Analysis by Hamish O'Dea and Horea Coroiu

Take the following steps to help prevent infection on your computer:

• Enable a firewall on your computer.
• Get the latest computer updates for all your installed software.
• Use up-to-date antivirus software.
• Limit user privileges on the computer.
• Use caution when opening attachments and accepting file transfers.
• Use caution when clicking on links to webpages.
• Avoid downloading pirated software.
• Protect yourself against social engineering attacks.
• Use strong passwords.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

• How to turn on the Windows Firewall in Windows 7
• How to turn on the Windows Firewall in Windows Vista
• How to turn on the Windows firewall in Windows XP

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following:

• Microsoft Malware Protection Center - Updating Software

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

• How to turn on Automatic Updates in Windows 7
• How to turn on Automatic Updates in Windows Vista
• How to turn on Automatic Updates in Windows XP

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see http://www.microsoft.com/windows/antivirus-partners/.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

• User Account Control in Windows 7
• User Account Control in Windows Vista
• Applying the Principle of Least Privilege in Windows XP
• More on User Account Control

Use caution when opening attachments and accepting file transfers

Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see 'What is social engineering?'.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional recovery instructions

If you suspect your computer has been compromised, we recommend using the Windows Defender Offline to detect and remove this threat.

Using Windows Defender Offline

The way Windows Defender Offline works, is by allowing you to:

• Download a copy of the tool from a computer that has access to the internet
• Save a copy of the recovery tool to a removable drive, in order to create bootable media
• Run the recovery tool on a compromised computer

You might want to use Windows Defender Offline when:

• You need to scan your computer to check for rootkits and other malware
• You are infected with malware that prevents you from downloading and installing an antivirus or the latest updates for your antivirus software
• Your antivirus does not detect or remove advanced malware, such as a rootkit

Note: Windows Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start or otherwise effectively scan your infected computer due to a virus or other malware actively running on the computer and impeding the effective action of antimalware software. For no-cost, real-time protection that helps guard your home or small business computers against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

1. Determine if you require the 32-bit or 64-bit download.
   
   See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bit architecture of the Windows operating system.
2. Using a computer that can connect to the internet, download the version of the Windows Defender Offline that applies to the affected computer.
   
   If the affected computer is a:
   
   - 32-bit computer, then download the 32-bit version here.
   - 64-bit computer, then download the 64-bit version here.
   
   Note: In order for the recovery tool to be effective, make sure you download the version that matches the architecture of the affected computer. For example, if your 64-bit desktop is affected, you will need to download the 64-bit version of the Windows Defender Offline and save it to a removable drive.
3. Save the downloaded file to a local drive on your computer.
4. Launch the downloaded file, and create a bootable device by following the instructions on the wizard.
   
   Note: We recommend creating a bootable USB or CD; if you create a bootable USB, this can be updated for future use.
5. From the affected computer, boot from the USB or CD you created in step 4.
   
   Note: You may need to set the boot order in the BIOS to do this. This will be device specific, so if you are unsure, refer to your system manual or manufacturer.
6. Follow the prompts to run a full system scan.
   
   Depending on the outcome of the scan, your next steps will vary. Follow the prompts from Windows Defender Offline to manage any threat detections.

Steps you can take once your computer has been cleaned

• Install security software, such as Microsoft Security Essentials, or any number of other products that provide a complete, real-time antivirus solution.
• Keep your antivirus up to date by making sure you have the latest definitions.
• Use the Microsoft Safety Scanner if you suspect you are infected but are unable to confirm this with your existing antivirus solution.

Enabling registry editor

This threat may modify the computer to prevent Registry Editor from running. To enable Registry Editor in your computer, please do the following:

1. Run a command prompt. Click Start>Run and type cmd.
2. In the command prompt, type the following as is and press Enter:
   reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3. Type exit at the command prompt.

Other remediation instructions for Win32/Sality

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

• Restoring your System Registry:
  • For Windows 7: http://windows.microsoft.com/en-us/windows7/Back-up-the-registry
  • For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Back-up-the-registry
  • For Windows XP: http://support.microsoft.com/kb/322756/
• Stopping and starting Windowsservices:
  • For Windows 7: http://windows.microsoft.com/en-US/windows7/What-are-Administrative-Tools
  • For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/What-are-Administrative-Tools
  • For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_start_service.mspx
• Enabling Task Manager:
  • For Windows Vista: http://windows.microsoft.com/en-us/windows-vista/Troubleshoot-Task-Manager-problems
  • For Windows XP: http://support.microsoft.com/kb/913623/
• Enabling Windows Firewall:
  • For Windows 7: http://windows.microsoft.com/en-US/windows7/Turn-Windows-Firewall-on-or-off
  • For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off
  • For Windows XP: http://support.microsoft.com/kb/283673
• Enabling Windows Security Center/Action Centeralerts:
  • For Windows 7: http://windows.microsoft.com/en-us/windows7/What-happened-to-Windows-Security-Center
  • For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Using-Windows-Security-Center
  • For Windows XP: http://support.microsoft.com/kb/889737
• For other support and help related articles, go to:
  • Windows 7: http://support.microsoft.com/gp/windows7
  • Windows Vista: http://support.microsoft.com/ph/11732
  • Windows XP: http://support.microsoft.com/ph/1173
• Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx