Win32.Sality

Description :Win32.Sality

Win32/Sality is a virus or file infector that infects files with format .SCR or .com or .EXE.
virus may execute a damaging payload that deletes files with certain extensions. Win32/Sality is a polymorphic virus that infects Win32 executable files. It has been known to have been derived from the win32/Bagle family.The infected application will become a little bigger in size around 60kb-90kb.

Sality uses default share folder to spread through local area network also sality uses autorun.inf for spreading.

Type:virus


Category : Win32

Alternate names :

# W32/Sality.n (McAfee)
# W32.HLLP.Sality.O (Symantec)
# PE_SALITY.AE (Trend Micro)
# W32.HLLP.Sality (Symantec)
# Win32/PE_ROSEC.A (Trend)
# Win32/Sality.A
# Win32/Sality.A (Eset)
# W32/Sality.A (F-Secure)
# Win32/Sality.A (InoculateIT)
# W32/Sality.a (McAfee)
# Win32/Sality.A!DLL (InoculateIT)
# W32/Sality.dll (McAfee)
# W32/Sality-A (Sophos)
# W32/Virus.Win32.Sality.a (Kaspersky),
# Virus.Win32.Sality.l (Kaspersky) P2P-Worm.Win32.VB.dz (Kaspersky)
# W32/Sality-AI (Sophos)
# Worm.P2P.VB.Bacteria.B (BitDefender)

Win32.Sality Frequently asked questions

---

Am i infected with Sality?

If you notice sudden harddisk activity and hard disk usage, Sality eating up all the harddisk space, Random named files in folder of sizes around 60 kb-90kb. Antivirus programs showing pop up messages of many infected files with sality but cannot do anything about it or If the computer fails to bootin the safe mode, then there are fair chances that your computer could be infected with W32/Sality.


How to go to safe mode in w32/sailty infected computer?

Booting in Safe mode can be reached on a w32/sailty infected computer using a tool called SafeMODEREPAIR. The same Safemoderepair tool can be used when infected with other viruses also to boot in Safe mode.

SafeMODEREPAIR can be downloaded from links XXXXX

Using SafeMODEREPAIR.

Execute either of the three Restore2000 or Restore2003 or RestoreXP for their respective operating systems. And then click yes when you get a Alert message from registry editor.

SafeMODEREPAIR picture

 

---

How to remove W32/Sality? or Methods to W32/remove Sality?

Method 1 [TO be used under extreme conditions]

# Create an avast BART CD, which is a bootable Cd version of avast which directly loads from Cd before loading the Operating system. Link http://www.avast.com/bart-cd

#Downlaod latest virus definitions from avast website directly to the Cd or to a Flash/pen drive.

# Boot from bootable Avast cd, Point the antiviurs software to the Updates file and Start FULL SYSTEM Scan.

# This should remove all the W32/sality and also any other possible viruses that lying dormant in your computer.


Method2

# Disconnect the computer from the network.

# Turn off “System Restore”.

# Turn off “Autorun” and “Default Share” download this file and right click on it then choose install.

# Kill any suspecting active process in computer backround and checking your startup file you can use hijackthis.

# Scan with Norman Malware Cleaner please note because this virus will infected files with extesion .exe com and .scr you have to rename Norman_Malware_Cleaner.exe with new extension example Norman_Malware_Cleaner.cmd

So..how does Funny UST Scandal really look like?

Funny UST Scandal icon

Here is the icon of the Funny UST scandal.avi.exe worm. The file extension .avi.exe is to confuse the executable file to an avi movie. In a windows system with all default settings only Funny UST Scandal.avi is visible[.exe extension is hidden].

How to Automatically remove Funny UST scandal.avi.exe [cleaner, free tool]

funny ust scandal automatic removal tool

The tool first checks if the system is infected with the funny scandal worm, only if infected it removes it. otherwise it shows a message saying "No funny virus running"

Filename : Remover.exe

Screenshot 1



Screenshot 2



Download link 1

Alternate link

How to manually remove Funny UST Scandal.avi.exe (worm)

Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb) in c:\windows\
lsass.exe(3920kb) in c:\documents and settings\all users\start menu\programs\startup
smss.exe(4088kb) in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script

[autorun]
open=smss.exe
shell\Open\Command=smss.exe
shell\open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\command=smss.exe

Funny UST Scandal.avi.exe(228kb) in all root drives

Registry Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)


HOw to remove this virus????

first download taskiller in here and install it to your computer because you can’t use task manager to terminate the virus(the virus automatically close task manager).

run taskiller and left click it on the system tray(the one with a skull icon)
click processes to close the virus, select process and click yes to the question

(process to close)


killer.exe
lsass.exe
smss.exe
note: close only file that have the same icon of Funny UST Scandal.avi.exe

CMD STEPS


1 now, click “start” then “run”
2 type “cmd” without quotes
3 type “cd\” without quotes
4 type “attrib -h -s smss.exe” without quotes
5 type “attrib -h -s autorun.inf” without quotes
6 type “start c:” without quotes (a new window will open)
7 select smss.exe, autorun.inf, Funny UST Scandal.avi.exe and delete it

If theres any drive or a partition type “d:” in command prompt without quotes “d” is the drive letter then repeat the CMD STEPS number 4-7 above…….

- now type this on the command prompt “cd windows” without quotes.
- type “attrib -h -s smss.exe” (without quotes)
- type “start c:\windows” (without quotes)
- delete the file smss.exe
- now, goto c:\documents and settings\all users\startmenu\programs\startup
- delete lsass.exe

click “start” then “run”
type “regedit” without quotes then delete the registry entries above….