high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | December 2008 (4.36) |
| Protection available since | 15 January 2008 07:26:45 (GMT) |
| Last updated | 30 October 2008 18:24:28 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W32/Sality-AM is a virus for the Windows platform.
The virus includes the functionality to download additional files from a remote location.
When first run, the virus may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
W32/Sality-AM may install the following file:
<System>\<random>.sys
This file is detected as Troj/RkSal-A
W32/Sality-AM may set registry entries under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
W32/Sality-AM may delete registry entries under:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
W32/Sality-AM disables some system integrity checkers by modifying executables named "filemon.exe" so that they exit immediately.
Due to errors in the viral infection code, some files may be corrupted by W32/Sality-AM so that they won't run. Some but not all of these files are still disinfectable, although W32/Sality-AM always overwrites data appended to files during infection so this will never be recoverable.
It is advisable to enable scanning for suspicious files and submit any files detected as Sus/Sality-A to Sophos.
|
