[INFO] AnalystName=Dmitry Tkachuk AnalystEMailID=dmitry.tkachuk@comodo.com Team=Ukraine Date=13-JAN-2010 Type=Virus Platform=Win32 SubType= Family=Sality Variant=D [OVERVIEW] Win32.Sality is a polymorphic file virus that infects Win32 PE executable files. It also contains trojan components. [TECHNICAL_DESCRIPTION] When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code. Some examples of the names used by the Sality DLL file following: %System%\syslib32.dll %System%\oledsp32.dll %System%\olemdb32.dll %System%\wcimgr32.dll %System%\wmimgr32.dll Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. Many variants of Sality also attempt to infect executable files referenced by values in the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run This enables the virus to run at each Windows start. Sality searches local drives C:\ to Y:\ for Windows PE executable files to infect. Some variants do not infect files with a file size below 4K bytes or above 20M bytes. The virus replaces code at the entry point of the executable with its own code, and appends an encrypted copy of itself to the host file, which increases the size of the infected program. When the file is executed the virus extracts and runs the appended code, and then runs the host program code to hide its presence. Can steals system information or downloads and executes arbitrary files. [SYMPTOMS] Infected executables large of original over 30Kb. One of the following files located in windows system folder: syslib32.dll oledsp32.dll olemdb32.dll wcimgr32.dll wmimgr32.dll [DISINFECTION] It is hard to remove it by hand since the malware modify existing executables. Get the latest version of Comodo Antivirus and perform a full scan of the computer.