Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sality

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Attempts to steal information; download other malware; displays message; terminates security programs
Detection files published 19 Jan 2005 03:00:00
Description created 14 Dec 2006 12:26:00
Description updated 14 Dec 2006 12:26:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
NETWORK
Summary None

W32/Sality

Spreading

The virus family spreads primarily through infecting executable files on local and shared drives. It has been known to have been initially spread and downloaded by a number of Bagle-related malware. It specifically tries to infect files in the registry runkeys in order to become active on bootup.

Payload Details

Sality will collect information from the infected machine, and attempt to mail this information out. The information gathered may contain
- operating system
- IP address
- Net share passwords
- Computer name
- Recently visited websites
- Dialup connection passwords
- Logged keystrokes
- Harvested email addresses
Some Sality variants will download other malware components from the web; these can be basically anything, ranging from other trojans and viruses to adware.
Sality will try to terminate several processes belonging to security programs.
On some occasions, Sality may display a message box saying
Title: Win32.HLLP.Kuku v<version number>
<<<<< Hey, Lamer! Say "Bye-bye" to your data! >>>>>
Copyright (C) by Sector

Analysis

n/a

Removal

First variant was added to definition files January 2005. SInce then, numerous other variants have been found and added to our defs.


Last Updated: 12 Nov 2015 11:06:09