Learn the Purpose of the Sality Virus and How to Eradicate It

Understanding the Sality Virus and How to Delete It

Skull and crossbones in binary code
John Lund / Getty Images

Sality is a family of file-infecting malicious software that affects Windows computers by spreading infections through EXE and SCR files.

Sality, which may have started out in Russia originally, has evolved a lot over the years, so different variations of the malware exhibit different characteristics. However, most Sality variants are worms in that they use some form of autorun functionality to infect executable files via removable or discoverable drives.

Some are even Sality botnets that join infected machines to its own P2P network so that the computers as a whole help facilitate things like stealing private data, cracking passwords, sending spam, and more.

The Sality virus might also include a Trojan downloader that installs additional malware via the internet, and a keylogger that monitors and records keystrokes.

Note: Some antivirus programs refer to the Sality viruses by other names like SaILoad, SaliCode, Kookoo, and Kukacka.

How It Works

As mentioned above, the Sality malware infects executable files on the infected computer.

Most versions of the malware put a special DLL file on the computer within the %SYSTEM% folder and might call it "wmdrtc32.dll" or, for the compressed version, "wmdrtc32.dl_."

However, not all variants of the Sality virus will use a DLL file in this way. Some load the code directly into memory, and the DLL file won't be found anywhere within the actual disk files.

Others might even store a device driver in the %SYSTEM%\drivers folder. What makes this one tricky is that it might be stored with a random file name, so if your antivirus software only reads file names to check for viruses, and not the file's contents, there's a good chance that it won't catch the Sality virus.

Updates to the Sality malware are fed over HTTP via decentralized lists of URLs. Once infected, the malware need only request updates behind the scenes to transform and grow on its own, to download new files to infect other computers.

Signs of Infection

It's important to be aware of the symptoms of a Sality virus infection—what your computer might do or how it might perform when the Sality virus is present.

As with much other malware, Sality might do any of the following:

  • Disable antivirus software and prevent access to certain antivirus and security websites.
  • Prevent booting into Safe Mode.
  • Remove security-related files, processes, and/or services.
  • Store a CMD, PIF, and/or EXE file to the root of discoverable drives, along with an autorun.inf file that contains instructions to load the dropped files when the drive is accessed.
  • Send spam to your email contacts by accessing your email client's address book.
  • Delete files that contain a certain file extension.

How to Delete

The best way to prevent a Sality virus infection is to keep your computer up to date with the latest patches and security definitions. Use Windows Update and keep your antivirus software updated to help thwart this attack.

If you already know that you have the Sality virus, you can get rid of it in a similar manner.

Scan your computer for malware with an updated and capable antivirus software program. You might have luck using a spyware remover to catch the Sality virus since it functions as spyware, too. If those don't work or you don't have regular access to Windows, use a bootable antivirus program instead.

Some antivirus vendors include a special tool meant specifically for dealing with the Sality virus. For example, AVG offers a popular free antivirus program but they also include Sality Fix that you can download for free to remove the Sality virus automatically. Kaspersky lets you use the free SalityKiller tool.

If a file is found to be infected with Sality, allow the software to clean the file. If other malware is found, try deleting the virus or taking the recommended action by the scanner.

Some antivirus programs might not detect the Sality virus. If you suspect that you have the virus but your security software isn't finding it, try uploading it to VirusTotal to do an online scan with various scanning engines.

Another option is to manually delete the virus files by searching through the computer with a file search tool like Everything. However, there's a good chance that the files are locked from use and can't be removed in a normal way. Antivirus programs can usually avoid this by scheduling the malware for deletion when the computer is shut down.

What to Do Next

If you're sure that the Sality virus has been removed, you should consider disabling autorun to prevent a re-infection via USB drives.

It's also important to change the passwords to any online accounts that you used during the time of the infection. If the Sality virus was logging your keystrokes, then there's a good chance that it recorded your bank information, social media credentials, email password, etc. Changing those passwords (after the infection is gone) and checking your accounts for theft is an important step.

Install an always-on, always-updating, easy-to-use antivirus program so that it's less likely that this will happen again. Make sure it can check removable drives for malware and set up scheduled scans to periodically check for malware of all types, not just for the Sality virus.