Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Sality.AA
Date discovered:21/11/2008
Type:File infector
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium to high
Static file:No
IVDF version:7.00.00.101 - Wednesday, October 17, 2007
Engine version:8.2.0.35

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Sality.gen virus
   •  Kaspersky: Virus.Win32.Sality.aa
   •  F-Secure: Virus.Win32.Sality.aa
   •  Eset: Win32/Sality.NAU virus
   •  Bitdefender: Win32.Sality.OG


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Registry modification

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
   • "AntiVirusOverride"=dword:00000001
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "UacDisableNotify"=dword:00000001



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=dword:00000001
   New value:
   • "Hidden"=dword:00000002

Deactivate Windows XP Firewall:
– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "AntiVirusDisableNotify"=dword:00000000
   • "FirewallDisableNotify"=dword:00000000
   • "UpdatesDisableNotify"=dword:00000000
   • "AntiVirusOverride"=dword:00000000
   • "FirewallOverride"=dword:00000000
   • "UacDisableNotify"=dword:00000000
   New value:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UacDisableNotify"=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system]
   Old value:
   • "DisableTaskMgr"=dword:00000000
   • "DisableRegistryTools"=dword:00000000
   New value:
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

 File infection Method:
This memory-resistent infector remains active in memory.


The following files are infected:
By file type:
   • *.EXE

Description inserted by Viktor Graeber on Thursday, August 6, 2009
Description updated by Andrei Gherman on Wednesday, December 16, 2009

Back . . . .