November 10, 2008

W32/Sality Virus: Description and How to Remove It

Sality is a virus that has backdoor capabilities and executes keylogger and may infect executable files by putting its code to host files. Once it is installed, Sality virus will infect local executable files and delete all files that are associated with anti-virus and anti-spyware applications, as well as firewalls. After this, Sality runs a keylogging module that gathers all system and network information, records passwords and login names, steals all sensitive information and sends all this collected data to a predefined email address.

In addition, Sality opens a backdoor that allows the remote attacker to get the full control over the infected computer and this places any financial or banking information stored on your computer in severe jeopardy and represents a serious security risk.

Also known as: W32/Sality (McAfee), Virus.Win32.Sality.aa (Kaspersky), W32.Sality.AE (Symantec), Virus:Win32/Sality.AM (MS OneCare), PE_SALITY.EM (Trend)

W32/Sality is a parasitic virus that infects Win32 PE executable files. It is a polymorphic virus that attempts to spread by file infection. It looks for Win32 PE executable files with .EXE or .SCR file extensions, and infects any such files found on the system by appending the virus body to the host file.

The virus also attempts to propagate by copying itself with a random filename to network drives, including all removable disk drives. Sality.AA also creates an "autorun.inf" file in these drives so that the virus executes when it is accessed.

Upon execution, it drops the following files into the Windows system directory:

  • %Windir%\System32\Hdaudprop.dll
  • %Windir%\System32\Hdaudpropres.dll
  • %Windir%\System32\Hdaudpropshortcut.exe
  • %Windir%\System32\drivers\Hdaudbus.sys
  • %Windir%\System32\drivers\Hdaudio.sys
  • %Windir%\System32\drivers\portcls.sys
Creates the following registry keys:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
  • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

and it downloads further malware from the following domains:

  • bpowqbvcfds677.info
  • aapowqbvcfds677.info
  • abpowqbvcfds677.info
  • d98dc9.bpowqbvcfds677.info
  • bmakemegood24.com
  • d99395.bmakemegood24.com
  • bbeakemegood24.com
  • bperfectchoice1.com
  • d998b6.bperfectchoice1.com
  • cbparfectchoice1.com
  • cbpbrfectchoice1.com
  • bcash-ddt.net
  • d9aab7.bcash-ddt.net
  • pzrk.ru
  • dbcabh-ddt.net
  • bddr-cash.net
  • ebddrbcash.net

It also modifies the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

and this virus also deletes entries in the following registry subkeys:

  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Sality.AA bypasses the system firewall by executing the command:
netsh firewall set opmode disable

It may also disable settings related to system security. It does this by adding the following registry entries:

  • HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001

The virus sets the following registry entry so that hidden folders and files are not displayed in Windows Explorer view:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 2

It also disables Registry Editor and Task Manager by adding these registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = dword:00000001

Sality.AA terminates all anti virus routine services running on the system, and prevent access to Websites that contain its names, like sality_remove, viruscan, sophos, mcafee, eset.com, kaspersky, onlinescan, and more...

The device driver is not dropped and installed onto the system unless there is an active internet connection.

The virus may prevent execution of applications that perform an integrity self-check as a result of them being infected.

So my dear friend the easiest way to tackle this virus is to Remove above mention Virus Entry Doors from registry and Delete those .DLL files from system.

Sality Manual Removal Instructions

Below is a list of Sality manual removal instructions and Sality components listed to help you remove Sality from your PC. Backup Reminder: Always be sure to back up your PC before making any changes.

Note: This manual removal process may be difficult and you run the risk of destroying your computer.

Step 1 : Use Windows File Search Tool to Find Sality Path

  • Go to Start > Search > All Files or Folders.
  • In the "All or part of the the file name" section, type in "Sality" file name(s).
  • To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
  • When Windows finishes your search, hover over the "In Folder" of "Sality", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Sality in the following manual removal steps.

Step 2 : Use Windows Command Prompt to Unregister Sality DLL Files

  • To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
  • Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Sality DLL file is located and press the "Enter" button on your keyboard. If you don't know where Sality DLL file is located, use the "dir" command to display the directory's contents.
  • To unregister "Sality" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Sality.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
  • Search and unregister "Sality" DLL files: syslib32.dll, sysdll.dll, oledsp32.dll

Step 3 : Detect and Delete Other Sality Files

  • To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
  • Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
  • To change directory, type in "cd name_of_the_folder".
  • Once you have the file you're looking for type in "del name_of_the_file".
  • To delete a file in folder, type in "del name_of_the_file".
  • To delete the entire folder, type in "rmdir /S name_of_the_folder".
  • Select the "Sality" process and click on the "End Process" button to kill it.
  • Remove the "Sality" processes files: syslib32.dll, sysdll.dll, oledsp32.dll, oledsp32.dll, sysdll.dll, syslib32.dll

Other simple way, you can use Sality Removal Tool from Grisoft by downloading at Here.

5 comments:

Anonymous said...

what if I dont see any of these dll files?? Then what??

Anonymous said...

All the .dll files you mention is worthless as they are randomly assigned. You can research on other sites to see that they too have lists with .dll names but you won't be able to find them in any case. Also in order to kill the process you need to know which one, and windoes taskmanager can't show them. This set of instructions here might be useful for only a variant of sality, but does nothing for the rest. We need to find a common denominator so we can try to manurally remove it. Infected files are fine since many programs can clean them. Also would like to add that quite few of them can't even trace the virus. This one is a tough bitch to kill.

Cornel M said...

all files change their names. nothig is good like a tool! trying manually what you say it's impossible and I say that after many-many tryies. so, conclusion is: download a tool which do this in your place!

Virus removal said...

Download the Removal tool for Sality virus here

Sality Virus Removal tool

M. Faramawy said...

thanks lot for your article but I think removing win32/sality virus manually is worthless and difficult.
I used your removal tool after installing afresh copy of Windows and before installing any software.