Mal/Sality-Gen

    Category: Viruses and SpywareProtection available since:25 Nov 2008 11:47:56 (GMT)
    Type: Malicious behaviorLast Updated:11 Jun 2015 00:03:07 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    Mal/Sality-Gen is a virus for the Windows platform, a member of the Sality family of viruses.

    Mal/Sality-Gen may also spread by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically - this file is detected as Mal/AutoInf-A.

    Mal/Sality-Gen includes the functionality to download additional files from a remote location.

    When first run, the Mal/Sality-Gen may infect executables in the root folder, files on network shares, and files it may find based on registry locations including the following:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

    Mal/Sality-Gen may drop another executable file, detected as Mal/Behav-010.

    Mal/Sality-Gen may install the following file:

    <System>\<random>.sys (detected as Troj/RkSal-A or Troj/RKSal-Gen)

    Mal/Sality-Gen may set registry entries under:

    HKLM\SYSTEM\CurrentControlSet\Enum\Root\<service name>

    where <service name> can be, for example, LEGACY_WMI_MFC_TPSHOKER_80.

    Mal/Sality-Gen may delete registry entries under:

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\

    Mal/Sality-Gen may disable some system integrity checkers by modifying executables named "filemon.exe" so that they exit immediately.

    Mal/Sality-Gen may disable certain system tools such as the Windows Task Manager and the Microsoft Registry Editor (regedit).

    Mal/Sality-Gen contains bugs in its viral code, and some files it infects will be corrupted. Some of these files may be disinfectable if the host code can be recovered safely, while others will be corrupt beyond repair. It is also possible that the virus saves a corrupt version of the host, such that successful disinfection still leaves behind a corrupt host. This is also true of files with appended data, since the virus overwrites this data during infection.

    It is important to send files detected as Mal/Sality-Gen to Sophos so that they can be analysed, and disinfection produced for them if appropriate.

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection