Threat Database Viruses Virus.Win32.Sality.aa


Threat Scorecard

Ranking: 3,692
Threat Level: 70 % (High)
Infected Computers: 19,158
First Seen: July 24, 2009
Last Seen: September 17, 2023
OS(es) Affected: Windows

Sality is a sophisticated, complex and extremely dangerous computer virus. If you have any hint that your PC got infected with Sality, you should act with caution and deal with Sality as quickly as humanly possible. Sality can be harmful to your computer and to you in a startling variety of ways, because Sality includes features or components of every major kind of malware and regularly changes itself, continuously becoming more malicious and harder to detect than it was before.

Sality’s History

The Sality virus first appeared in Russia in 2003. Since then, Sality has continued to be a threat, and Sality has spread throughout the world, historically with an especially strong presence in Brazil. Sality was one of the most prevalent viruses of 2010, and there was a major increase in the number of infections at the end of the year, when a new mutation of the virus appeared. Some researchers have stated that Sality is currently one of the five most common threats detected on computers.

Strictly speaking, Sality began as a backdoor as a way of bypassing ordinary computer security measures. Although Sality still has this feature and the infection still begins with a backdoor, Sality has grown and evolved over the years to include in its functioning practically every known variety of malware. That is not an exaggeration – in addition to the backdoor, Sality's features include viruses, keyloggers, rootkits, worms, Trojans, downloaders, botnets, adware and zero-hour Windows exploits. Sality has the common features of a classic virus, as well as some very modern and very dangerous capabilities.

How Sality Works

At present, a Sality infection might begin with the use of an infected thumb drive which will infect your computer beginning with a worm or Sality can infect your computer beginning with a Trojan, after you click on an infected spam email or download an infected file. One way or another, once Sality is present, Sality opens a backdoor;, and can download other malware; or communicate secretly with a botnet controller or whoever propagated the virus in the first place.

Then Sality sets itself up to do its damage. Sality takes a look at what is on your system, infects local .exe and .scr files, disables or deletes security software and firewalls and writes malicious files. Sality can even alter your computer to prevent Windows from being able to start in Safe Mode. It can then install a keylogger to capture keystrokes and steal user names and passwords, credit card numbers or other sensitive information. Sality can also create a worm that will infect all removable media, especially USB thumb drives, and cause the virus to install itself automatically on whichever computer you connect the USB drive to next.

New Developments of Sality

Recently, Sality has been used to create 'zombie computers' and to add infected computers to botnets. In other words, Sality is being used in order to give hackers remote access to infected systems, and to use those systems to spread spam, create fraudulent web clicks or launch Denial Of Service attacks against targeted websites – all without the knowledge of the owners of the infected computers. A recent estimate of the size of the Sality botnet puts the number of computers connected through Sality at 100,000.

Beginning in the summer of 2010, there were reports that Sality was infecting computers through a Trojan that takes advantage of what was a so-called 'zero-hour' vulnerability in Windows, by exploiting the way Windows handled shortcuts. In this way, Sality is similar to the virus Stuxnet. Basically, the Trojan infects the computer and creates a .dll file and a .lnk file somewhere, and as soon as you navigate to the directory where the .lnk file is stored, the .dll is activated and Sality jumps to action. Since the vulnerability was discovered, Microsoft has issued Windows updates to repair the vulnerability. Nonetheless, recently, this vulnerability has been a major cause of the increase in infection rates of Sality, because many people simply do not update Windows frequently enough or at all.

Sality continues to be a significant threat largely due to its polymorphic nature. It can alter its own code by encrypting itself differently for each different file or computer Sality infects, which is meant to make Sality difficult to be detected through scans. In any case, experts believe that the creators of Sality have the ultimate goal of using Sality to gather up and incorporate as much damaging and detrimental code as possible. Therefore, continued vigilance against Sality will likely be a necessity in the foreseeable future.


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Symantec W32.Sality.AB
Sophos W32/Sality-AM
Prevx1 Cloaked Malware
Panda W32/Sality.AC.worm
NOD32 Win32/Sality.AD
Microsoft Worm:Win32/Sality.AH!dll
McAfee W32/Sality.dll
Ikarus Virus.Win32.Sality
Fortinet W32/KillAV.NH!tr
F-Secure Trojan.Win32.KillAV.nh
eTrust-Vet Win32/Maazben!generic
eSafe Win32.KillAV.nh
DrWeb Win32.Sector.4
Comodo Win32.Sality.AD

SpyHunter Detects & Remove Virus.Win32.Sality.aa

File System Details

Virus.Win32.Sality.aa may create the following file(s):
# File Name MD5 Detections
1. 256f4b43f77e46cc37dbb0701850f7d38353a0f6e980174c0e79716641ac4e65 72410784cc6a484cc839f254d68e0eea 3
2. Virus.Win32.Iframer.c 334215be25fe0b1d4ce4286318fd0472 2
3. file.exe 627b8095b1024a0ddfdfa01bf9aff803 1
4. sa-643166.exe e3bec9eb5e9375f37d681dd17bbbdd4e 0
5. Msmsgs.exe 9e35482e8ef527840071f91218658932 0
6. winjmxy.exe c24411d4e373e19404eb3154f3233ad0 0
7. 7g7G8B2C.exe f339095d454772ad8cb9c340f13e1678 0
8. bd3q0qix.exe b503241f1dcc27fe6fb0998d2b05fdb4 0
9. iii[1].exe 5fc359ad746100efc0d82d6e1c29f77d 0
10. bd3q0qix.exe,vamsoft.exe e7b53d00459864b22552f7119179fd29 0
11. TckBX673.exe 046f1a09caa11f2e69162af783d7e89c 0
12. load[1].exe 426444c904c4d960118913467204ed0d 0
13. winkfmc.exe f718b5d0f994207183694e207046ac69 0
14. ParisHilton[1].exe 4358fc8cb0254b909eab71431332918c 0
15. file.exe e055f11422d5b9f33653b69a4ff6e9f4 0


Most Viewed