1. Symantec/
  2. Security Response/
  3. W32.Sality


Risk Level 2: Low

June 4, 2003
August 12, 2013 11:28:31 AM
Also Known As:
W32/Kookoo-A [Sophos]
Systems Affected:
W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software.

W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file.

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts.

The W32.Sality family of threats has been around for some time as the first versions surfaced in 2003 and may have originated in Russia. At that time, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality.

Over the years the core functionalities remained the same but it has become more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.

As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.

It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.

The threat participates in a P2P botnet and receives URLs of additional files to download. Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.

The threat also attempts to disable security software and modify security configurations. It alters the safe mode functionality to ensure it remains on the compromised computer. To help hide its presence and ensure continuity of execution, it will inject itself into all running processes except processes that belong to the system, the local service or the network service.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version April 6, 2003
  • Latest Rapid Release version November 21, 2013 revision 055
  • Initial Daily Certified version April 6, 2003
  • Latest Daily Certified version November 22, 2013 revision 001
  • Initial Weekly Certified release date April 9, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Angela Thigpen and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube