Removal of the Sality virus

Last friday we released an engine update which added some removal routines for certain variants of the W32/Sality virus family. This wouldn’t be remarkable if W32/Sality wasn’t a polymorphic file infector – it infects other executable files and tries to spread throughout the network by lowering the firewall settings and disables warnings of the windows security center.

On our web server the malware description for W32/Sality gets often accessed. That its a real threat is also shown in the statistics of Virustotal. We detect plenty of variants generically as W32/Sality.Y. As it is a generic detection, we find a multitude of samples with it.

W32/Sality is not new, variants of it with different payloads like keyloggers, backdoors, rootkit or downloader functions often appeared in the last years. This leads to the situation that every now and then Sality gets widespread again.

The spreading of Sality is also possible due increased sophistication of hiding the malware in the infected files. Sality adds a new code section at the end of the PE-file, and sometimes increases the size of the last section and injects code there. Then it modifies the code at the entry point (not the entry point itself in the PE headers).

Additionally the injected code is highly encrypted and filled up with trash. Furthermore, fake API-calls are meant to outsmart emulation techniques; the debugging process is hindered by unnecessary instruction blocks in the virus code. If the infected file gets started, the virus decrypts it’s own code and restores the code of the original binary at the entry point. It starts that original code in the main thread then while staying active in the new thread in the background.

Since this malware is widespread, we developed removal routines for a lot of variants of W32/Sality.Y. As usual, today it’s not possible to properly restore all the original binaries as for example digital signatures might get broken by the malware infection.

The removal of W32/Sality isn’t as easy as we like it to be though. It should be done using our Rescue CD which also includes the updated engine. This is due to the fact that it’s not possible to kill all processes at runtime to get hold of the binary files and disinfect them. It is always a good idea to clean an infected system with the Rescue CD as the malware isn’t active when the computer is started from the CD.

Additionally, we have some repair batch files that affected customers can get by emailing or calling our support. Those batches repair some essential registry keys on cleaned machines which W32/Sality modified.

Dirk Knop
Technical Editor