Sality
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Ranking: | 3,692 |
| Threat Level: | 70 % (High) |
| Infected Computers: | 19,158 |
| First Seen: | July 24, 2009 |
| Last Seen: | September 17, 2023 |
| OS(es) Affected: | Windows |
Sality is a sophisticated, complex and extremely dangerous computer virus. If you have any hint that your PC got infected with Sality, you should act with caution and deal with Sality as quickly as humanly possible. Sality can be harmful to your computer and to you in a startling variety of ways, because Sality includes features or components of every major kind of malware and regularly changes itself, continuously becoming more malicious and harder to detect than it was before.
Table of Contents
Sality’s History
The Sality virus first appeared in Russia in 2003. Since then, Sality has continued to be a threat, and Sality has spread throughout the world, historically with an especially strong presence in Brazil. Sality was one of the most prevalent viruses of 2010, and there was a major increase in the number of infections at the end of the year, when a new mutation of the virus appeared. Some researchers have stated that Sality is currently one of the five most common threats detected on computers.
Strictly speaking, Sality began as a backdoor as a way of bypassing ordinary computer security measures. Although Sality still has this feature and the infection still begins with a backdoor, Sality has grown and evolved over the years to include in its functioning practically every known variety of malware. That is not an exaggeration – in addition to the backdoor, Sality's features include viruses, keyloggers, rootkits, worms, Trojans, downloaders, botnets, adware and zero-hour Windows exploits. Sality has the common features of a classic virus, as well as some very modern and very dangerous capabilities.
How Sality Works
At present, a Sality infection might begin with the use of an infected thumb drive which will infect your computer beginning with a worm or Sality can infect your computer beginning with a Trojan, after you click on an infected spam email or download an infected file. One way or another, once Sality is present, Sality opens a backdoor;, and can download other malware; or communicate secretly with a botnet controller or whoever propagated the virus in the first place.
Then Sality sets itself up to do its damage. Sality takes a look at what is on your system, infects local .exe and .scr files, disables or deletes security software and firewalls and writes malicious files. Sality can even alter your computer to prevent Windows from being able to start in Safe Mode. It can then install a keylogger to capture keystrokes and steal user names and passwords, credit card numbers or other sensitive information. Sality can also create a worm that will infect all removable media, especially USB thumb drives, and cause the virus to install itself automatically on whichever computer you connect the USB drive to next.
New Developments of Sality
Recently, Sality has been used to create 'zombie computers' and to add infected computers to botnets. In other words, Sality is being used in order to give hackers remote access to infected systems, and to use those systems to spread spam, create fraudulent web clicks or launch Denial Of Service attacks against targeted websites – all without the knowledge of the owners of the infected computers. A recent estimate of the size of the Sality botnet puts the number of computers connected through Sality at 100,000.
Beginning in the summer of 2010, there were reports that Sality was infecting computers through a Trojan that takes advantage of what was a so-called 'zero-hour' vulnerability in Windows, by exploiting the way Windows handled shortcuts. In this way, Sality is similar to the virus Stuxnet. Basically, the Trojan infects the computer and creates a .dll file and a .lnk file somewhere, and as soon as you navigate to the directory where the .lnk file is stored, the .dll is activated and Sality jumps to action. Since the vulnerability was discovered, Microsoft has issued Windows updates to repair the vulnerability. Nonetheless, recently, this vulnerability has been a major cause of the increase in infection rates of Sality, because many people simply do not update Windows frequently enough or at all.
Sality continues to be a significant threat largely due to its polymorphic nature. It can alter its own code by encrypting itself differently for each different file or computer Sality infects, which is meant to make Sality difficult to be detected through scans. In any case, experts believe that the creators of Sality have the ultimate goal of using Sality to gather up and incorporate as much damaging and detrimental code as possible. Therefore, continued vigilance against Sality will likely be a necessity in the foreseeable future.
Aliases
15 security vendors flagged this file as malicious.
| Anti-Virus Software | Detection |
|---|---|
| TrendMicro | TROJ_SALITY.AM |
| Symantec | W32.Sality.AB |
| Sophos | W32/Sality-AM |
| Prevx1 | Cloaked Malware |
| Panda | W32/Sality.AC.worm |
| NOD32 | Win32/Sality.AD |
| Microsoft | Worm:Win32/Sality.AH!dll |
| McAfee | W32/Sality.dll |
| Ikarus | Virus.Win32.Sality |
| Fortinet | W32/KillAV.NH!tr |
| F-Secure | Trojan.Win32.KillAV.nh |
| eTrust-Vet | Win32/Maazben!generic |
| eSafe | Win32.KillAV.nh |
| DrWeb | Win32.Sector.4 |
| Comodo | Win32.Sality.AD |
SpyHunter Detects & Remove Sality
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | 256f4b43f77e46cc37dbb0701850f7d38353a0f6e980174c0e79716641ac4e65 | 72410784cc6a484cc839f254d68e0eea | 3 |
| 2. | Virus.Win32.Iframer.c | 334215be25fe0b1d4ce4286318fd0472 | 2 |
| 3. | file.exe | 627b8095b1024a0ddfdfa01bf9aff803 | 1 |
| 4. | sa-643166.exe | e3bec9eb5e9375f37d681dd17bbbdd4e | 0 |
| 5. | Msmsgs.exe | 9e35482e8ef527840071f91218658932 | 0 |
| 6. | winjmxy.exe | c24411d4e373e19404eb3154f3233ad0 | 0 |
| 7. | 7g7G8B2C.exe | f339095d454772ad8cb9c340f13e1678 | 0 |
| 8. | bd3q0qix.exe | b503241f1dcc27fe6fb0998d2b05fdb4 | 0 |
| 9. | iii[1].exe | 5fc359ad746100efc0d82d6e1c29f77d | 0 |
| 10. | bd3q0qix.exe,vamsoft.exe | e7b53d00459864b22552f7119179fd29 | 0 |
| 11. | TckBX673.exe | 046f1a09caa11f2e69162af783d7e89c | 0 |
| 12. | load[1].exe | 426444c904c4d960118913467204ed0d | 0 |
| 13. | winkfmc.exe | f718b5d0f994207183694e207046ac69 | 0 |
| 14. | ParisHilton[1].exe | 4358fc8cb0254b909eab71431332918c | 0 |
| 15. | file.exe | e055f11422d5b9f33653b69a4ff6e9f4 | 0 |
