This page shows details and results of our analysis on the malware W32/Sality.ai


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation


W32/Sality.ai is a parasitic virus that infects Win32 PE executable files.

Upon execution, this file infector listens on an UDP port and drops the following file:

%System%\drivers\{Random file name}.sys (Terminates security applications)
(Note: %System% is the Windows system folder, e.g. C:\Windows\System32 or C:\WINNT\System32)

It then creates/modifies the following registry keys/entries:

  • HKEY_CURRENT_USER\Software\{User Name}914
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
    ImagePath = "%System%\drivers\{Random file name}.sys"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\
    DisableRegistryTools: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To make recovery difficult for the victim, it deletes the following registry keys/entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    AlternateShell = "cmd.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

This file infector adds the following entries in the SYSTEM.INI file:

    DEVICEMB={Random numbers}


It scans the following registry key to check for the existence of registry subkeys related to antivirus and security applications:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

If found, it deletes the said subkeys. Affected registry subkeys which may be deleted to disable security applications are as follows:

  • _AVPM

It infects files (*.exe and *.scr files on the local, network and removable drives except for the file names containing the strings of WINDOWS, SYSTEM or SYSTEM32) by overwriting some code in the entry point and save the overwritten code in the virus body. It then appends the virus body to the host file.

This file infector terminates the following services, if found on the system:

  • aswUpdSv
  • avast! iAVS4 Control Service
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • vsmon
  • WebrootDesktopFirewallDataService
  • WebrootFirewall

It may download additional malware from the folllowing site(s):

  • http://89.119.67.{removed}/testo5
  • http://kukutrustnet777.{removed}
  • http://kukutrustnet888.{removed}
  • http://kukutrustnet987.{removed}
  • http://www.klkjwre9fqwieluoi.{removed}


Presence of the file(s) mentioned.
Presence of the registry key(s) mentioned.
Services listening on the network port(s) mentioned.
Unexpected network traffic to one or more of the domain(s) mentioned.

Method of Infection

W32/Sality.ai searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).