Intel Security


This page shows details and results of our analysis on the malware W32/Sality.t

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Win32
  • Protection Added: 2006-05-24

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.  This virus also attempts to disable certain security programs by deleting the executable file.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

The W32/Sality.t detection bears the following characteristics:

  • Injects the wdmfmc32.dll file into running processes
  • Creates the following mutex:
    • KUKU300a
    • KUKU301a
    • uku_joker_v3.06
  • Infects PE executable files 
  • Attempts to contact a remote website to test internet connectivity 
  • Deletes files which contains following strings in its filenames.
    • KAV
    • ANTI
    • SCAN
    • ZONE
    • ANDA
    • TROJ
    • TREN
    • ALER
    • CLEAN
    • OUTP
    • GUAR
    • TOTAL
  • Existence of the files mentioned
  • Existence of larger executable files due to the parasitic infection

This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.

It replaces the original code at the entry point with viral code and stores an encrypted copy of the original code in the appended space of the file. Due to a bug in the virus, it may cause certain PE files to be corrupted.