What's the Sality Virus?

GettyImages

Description

Sality is a family of file infecting viruses that spread by infecting exe and scr files. This only affects Windows-based computers. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web.

Symptom

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites.

Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed. The Sality virus joins infected machines to its own P2P network. Updates to the malware are fed via decentralized lists of HTTP URLs.

Remediation

Scan the system with up-to-date antivirus software. If a file is found to be infected with Sality, allow the antivirus software to clean the file. If other malware is found, allow the antivirus to delete or take the action recommended by the scanner. (For assistance, see Clean, Quarantine, or Delete?). If the malware persists, use a bootable antivirus rescue CD to boot the system cleanly and scan the system again.

To prevent re-infection via infected USB drives, disable autorun.