Virus Removal: Win32.Sality

Share This:

This virus has been around for years and recently made a major comeback last year. According to a Microsoft study, over 8 million computer were infected with it in 2012.

What It Does

W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file. In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts.

Variants

W32.Sality
W32.HLLP.Sality.O
W32.HLLP.Sality.Q
W32.Sality.R
W32.Sality.S
W32.Sality.U
W32.Sality.V
W32.Sality.X
W32.Sality.Y
W32.Sality.AB
W32.Sality.AE
W32.Sality.AM

Removal

The first step is to download either Norton Power Eraser from here or Kaspersky Removal Tools from here.

For the Kaspersky tool, run the exe and check Startup Objects and Disk Boot Sectors. Run the scan and it should help remove the virus.


Share This:

 

Leave a Comment