Video Screencast Help
Security Community Blog

A live scenario on "How W32.Sality infects uses machine"

Created: 23 Apr 2009 • Updated: 23 Apr 2009 • 3 comments
SAM_SHAIKH's picture
0 0 Votes
Login to vote


W32.Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk.

Microsoft - Virus: Win32/
Kaspersky - Virus.Win32.Sality.aa

W32.Sality has the following symptoms:

• Modifies System.ini files (Check for the modified date)
• Services listening on the network port(s).
• Unexpected network trafic to one or more of the domain(s).
• No access to File Monitor.
• Disables Safe mode boot
• Disables regedit and taskmanager
• Disables Antivirus

Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:
Downloads further malware from the following domains:

It can also drop an Autorun.inf file to auto-execute itself


Once the sample is run, it immediately tries to hook to one of the random processes and connects to certain sites and downloads malware.


The screen shot above shows the virus connecting to the IP on port 80 and establishing contact with a certain “” to download the file “logoh.gif”

Below is a screen shot of sality hooking on to a certain “Notepad.exe”


One may notice that Notepad.exe is in the running processes even when it has never been opened by the user.( Check the system tray )
If we kill this process, Sality hooks on to another process.

Common Registry changes done by Sality

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001

This is to disable regedit and taskmanager.

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:


Common URL’s accessed by Sality

The following domains need to be blocked at the firewall.

• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• hxxp://
• http:.//


Comments 3 CommentsJump to latest comment

Peter_007's picture

Excellent Doccument.
Keep it up SAM

Login to vote
Symantec World's picture

Thanks for this document.

Sality also currupt your AntiVirus, Actually we are facing this issue.

Regards, M.R

Login to vote
mon_raralio's picture

We got a couple of PCs infected with W32.Sality.AE in our network.
What we tried was to map the C: drive of the infected PC to another PC and have that PC scan the drive as a "local drive". After that we edited the registry (It's in the regedit -> File -> Connect Network Registry...) and did the manual removal instructions for editing the registry from Symantec. Created an autorun.inf with read-only rights.
After that, disconnected the PC and restarted. (BTW, we already have the AV installer ready to install on the PC to prevent reinfection.)

“Your most unhappy customers are your greatest source of learning.”

Login to vote