This page shows details and results of our analysis on the malware W32/Sality.ah

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Win32
  • Protection Added: 2008-07-15

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

W32/Sality.ah is a parasitic virus that infects Win32 PE executable files.

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

  • %Windir%\System32\Drivers\{random}.sys

It follows to create the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr
  • HKEY_CURRENT_USER\Software\{%UserName%}914

It may also modify system configuration via the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

(Where %UserName% is the Windows logged in user ID)

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:

  • SYSTEM32

It can also drop a copy of itself as asc3360pr.scr, asc3360pr.pif or asc3360pr.exe onto the following Windows drive types and creates an Autorun.inf to auto-execute itself:

  • Unknown drive type (Type 0)
  • Removable media (Type 2) - e.g. USB drives.
  • Remote network drive (Type 4) - e.g. shared folders.

It may download additional malware from the folllowing site(s):

  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://

Services containing the following strings may be removed:

  • Agnitum Client Security Service
  • ALG
  • aswUpdSv
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web ScannerAVP
  • BackWeb Plug-in - 4476822
  • bdss
  • BGLiveSvc
  • BlackICE
  • CAISafe
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • Eset Service
  • F-Prot Antivirus Update Monitor
  • fsbwsys
  • F-Secure Gatekeeper Handler Starter
  • fshttps
  • FSMA
  • InoRPC
  • InoRT
  • InoTask
  • KPF4
  • LavasoftFirewall
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • NOD32krn
  • NPFMntor
  • NSCService
  • Outpost Firewall main module
  • OutpostFirewall
  • PavProt
  • PavPrSrv
  • PcCtlCom
  • PersonalFirewal
  • ProtoPort Firewall service
  • RapApp
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • Tmntsrv
  • TmPfw
  • tmproxy
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsmon
  • WebrootDesktopFirewallDataService
  • WebrootFirewall

It may also search and delete files containing the following extension(s) or string(s) in the filename:

  • .vdb
  • .key
  • .avc
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.
  • Services listening on the network port(s) mentioned.
  • Unexpected network traffic to one or more of the domain(s) mentioned.
  • Executable files increase in size by 70 kilobytes.



W32/Sality.ah searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.  The infected files grow by size by 70 KB.

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.