W32/Sality.t

This page shows details and results of our analysis on the malware W32/Sality.t

Overview

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.  This virus also attempts to disable certain security programs by deleting the executable file.


Minimum DAT

4769 (2006-05-24)

Updated DAT

5225 (2008-02-07)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2006-05-24

Description Modified

2006-06-05

Malware Proliferation

Characteristics

The W32/Sality.t detection bears the following characteristics:

  • Injects the wdmfmc32.dll file into running processes
  • Creates the following mutex:
    • KUKU300a
    • KUKU301a
    • uku_joker_v3.06
  • Infects PE executable files 
  • Attempts to contact a remote website to test internet connectivity 
  • Deletes files which contains following strings in its filenames.
    • KAV
    • ANTI
    • SCAN
    • ZONE
    • ANDA
    • TROJ
    • TREN
    • ALER
    • CLEAN
    • OUTP
    • GUAR
    • TOTAL

Symptoms

  • Existence of the files mentioned
  • Existence of larger executable files due to the parasitic infection

Method of Infection

This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.

It replaces the original code at the entry point with viral code and stores an encrypted copy of the original code in the appended space of the file. Due to a bug in the virus, it may cause certain PE files to be corrupted.

Removal

Variants