Spammer:Win32/Sality.A is a detection for malware that searches a user's Outlook address book and Internet Explorer cached files for e-mail addresses to send spammed messages to. It then sends out spammed messages based on information it retrieves from a remote server.
Spammer:Win32/Sality.A is a detection for malware that searches a user's Outlook address book and Internet Explorer cached files for e-mail addresses to send spammed messages to.
Spammer:Win32/Sality.A may be dropped and installed by other malware. It may arrive in the system using a random file name. Upon execution, it creates a mutex, for example, '65r9nmjhWIO', to ensure that only one instance of itself is running.
Modifies system settings
Spammer:Win32/Sality.A modifies the Windows Firewall policy list to allow itself to bypass the firewall and access the Internet:
Adds value: "<malware file>" with data: "<malware file>:Enabled:ipsec" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
where <malware file> is the malware file name.
Sends spammed e-mail messages
Spammer:Win32/Sality.A attempts to search the user's Outlook address book and Internet Explorer's cached files for e-mail addresses. It then connects to a remote server, for example, 18.104.22.168, to submit its obtained addresses. From the same server it then retrieves spam e-mail message contents and SMTP servers through which the messages are sent.
Prior to sending out the spammed e-mail messages, it checks if the system's IP address is blocked by the following spam-blocking services: