Ankit Kumar Agarwal

I was playing with a few soft wares when my avast antivirus warned me of this “win32:sality virus”.As usual i neglected it.This was a big mistake i made.Two hours later my antivirus declared VLC as virus, 4 hours later notepad was declared as virus and 24 hours later almost all exes were declared as virus. Many programs terminated abnormally.

I started searching net for information on this virus.When i got the following info about it:-
Characteristics
Type : Virus
Category : Win32
Also known as: W32.HLLP.Sality (Symantec)

Description
Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.
Method of Infection
When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code.
Some examples of the names used by the Sality DLL file as reported to CA from the wild include the following:
%System%\syslib32.dll
%System%\oledsp32.dll
%System%\olemdb32.dll
%System%\wcimgr32.dll
%System%\wmimgr32.dll
Note: ‘%System%’ is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Many variants of Sality also attempt to infect executable files referenced by values in the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\Run
This enables the virus to run at each Windows start.
Method of Distribution
Via File Infection
Sality searches local drives C:\ to Y:\ for Windows PE executable files to infect. Some variants do not infect files with a file size below 4K bytes or above 20M bytes. The virus replaces code at the entry point of the executable with its own code, and appends an encrypted copy of itself to the host file, which increases the size of the infected program. When the file is executed the virus extracts and runs the appended code, and then runs the host program code to hide its presence.
Via Network Shares
Sality enumerates shares on the network, and then searches located shares for Windows PE executable files in the same way as outlined above on local drives.
Payload
Steals System Information
Some Sality variants collect information about the infected system and e-mail this information to the domain mail.ru.
The information sent includes, but is not limited to, the following:
OS version
IP address
Computer name
Recent URLs visited
Passwords
ISP Dial up Connection details and Password
Downloads and Executes Arbitrary Files
Sality variants contact certain domains which provide instructions to download and execute files, some of the domains contacted are listed below:
hut2.ruinvis1blearm
3333.comegozdq.com
5558×7.comwtcvxu.com
fdpgb3.combpfq02.com
u7zywp.com
zvco6m.com
qiredremer.biz
sbapodremer.biz
pgpwdremer.biz
gogcojdremer.biz
rus0396kuku.com
vrrnscdremer.biz
connect2me.org
The files downloaded may be used to give a remote unauthorized user extended control of the affected machine. Sality may also download variants of other malware such as Win32/Onecooked.
Sality also uses this method to download updated versions of itself.
Deletes files
Sality searches subdirectories on drives C:\ to Y:\ for files with the following extensions:
.vdb.avc
Files located are deleted. This is presumably to disable or impair certain AV products.
Terminates Processes
Sality searches for and terminates any processes which match a list contained in its code; the following is an example of such a list:
AVXQUAR
ICSUPP
ICSSUPPNT
ESCANH
AVLTMAIN
VSMAIN
TRJSCAN
PROTECTX
PORTDETECTIVE
PINGSCAN
PERISCOPE
NPFMESSENGER
MCAGENT
LOCKDOWN
DRWTSN32
DRWATSON
CLEANER
BLACKICE
BIPCP
BIDSERVER
BIDEF
AVPROTECT
AVGSERV
ATGUARD
AVSYNMGR
AUTOTRACE
SAVSCAN
RTVSCAN
NUPGRADE
NPROTECT
MGUI
MCUPDATE
NMAIN
ANTI
NOD32
ZONEALARM
OUTPOST
DRWEB
KAV
AVP
NAV
When a processes is terminated Sality displays an error message to indicate a fake error condition.
Logs Keystrokes
Some Sality variants log the affected user’s keystrokes to a file in the %System% directory. The file name is prefixed with “win” followed by random characters, for example:
%System%\WINFIGBO.BGO
The location of this file is e-mailed to the mail.ru domain.
Changes Firewall Settings
Some Sality trojan components modify the Windows Firewall settings to add themselves as authorized applications. IT was with a name of “ipsec” in my case.This effectively allows these components to bypass the firewall.In my case my firewall was repeatedly turned off by the virus.
HTTP Proxy
Some Sality variants run an HTTP proxy on port 80 of the affected machine. The trojan contacts the domain shared-admin.com, and receives instructions to connect to the domain connect2me.org, which then returns an IP address. All requests sent to the proxy running on the affected machine are forwarded to the previously returned IP address.
Displays Message
Some Sality variants check if the Date is the 10th of October and may display an alarmist message if the hour and the minute have the same value, for example 21:21. Please see below for an example of the message:
“Hey, Lamer! Say “Bye-bye” to your data!”
After reading it i realised that on how big trouble i have put myself into.I immediately tried my best to remove it:-
i)system restore:-didn’t work soon it was also infected with the virus
ii)manually searched for possible dlls:-nothing was found
iii)tried sality remover from avg-no use (Still Try it)
iv)tried safe mode:-it didn’t boot in safe mode

Finally i had to format my system. So if you get any indication that any software is infected with this virus do not install it.There is no way out once your system gets infected with it.So be careful.
Note:-This virus has a special property of hiding in disk partitons. So if you finally decide to format your pc then first delete all drives and then recreate them during installation.

remove virus,antivirus,win32 sality remover,how to remove win32 sality virus.