This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
5426 (2008-11-06)Updated DAT
W32/Sality.aq is a parasitic virus that infects Win32 PE executable files.
Upon execution, it drops the following files:
It creates the following mutex "Op1mutx9"
Creates the following registry keys:
Modifies the following registry entries:
Deletes entries under the following registry subkeys to prevent rebooting into Safe Mode:
Adds following entry to %Windir%\system.ini:
Downloads further malware from the following domains:
Attempt to delete files containing any of the following strings in their name
The kernel mode device driver attempts to block access to following domains and applications having the following strings.
W32/Sality.aq searches local drives and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image. The infected files grow by size by minimum 50Kb.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: