Overview
This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files. This virus also attempts to disable certain security programs by deleting the executable file.
|
Minimum DAT
4769 (2006-05-24) Updated DAT5225 (2008-02-07) |
Minimum Engine
5400.1158 File LengthVaries |
Description Added
2006-05-24 Description Modified2006-06-05 |
Malware Proliferation
Characteristics
The W32/Sality.t detection bears the following characteristics:
- Injects the wdmfmc32.dll file into running processes
- Creates the following mutex:
- KUKU300a
- KUKU301a
- uku_joker_v3.06
- Infects PE executable files
- Attempts to contact a remote website to test internet connectivity
- Deletes files which contains following strings in its filenames.
- KAV
- ANTI
- SCAN
- ZONE
- ANDA
- TROJ
- TREN
- ALER
- CLEAN
- OUTP
- GUAR
- TOTAL
Symptoms
- Existence of the files mentioned
- Existence of larger executable files due to the parasitic infection
Method of Infection
This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.
It replaces the original code at the entry point with viral code and stores an encrypted copy of the original code in the appended space of the file. Due to a bug in the virus, it may cause certain PE files to be corrupted.
Removal
Variants