[INFO]
AnalystName=Dmitry Tkachuk
AnalystEMailID=dmitry.tkachuk@comodo.com
Team=Ukraine
Date=13-JAN-2010
Type=Virus
Platform=Win32
SubType=
Family=Sality
Variant=Q

[OVERVIEW]
Win32.Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components.

[TECHNICAL_DESCRIPTION]
Many variants of Sality also attempt to infect executable files referenced by values in the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
This enables the virus to run at each Windows start.
Sality searches local drives C:\ to Y:\ for Windows PE executable files to infect. Some variants do not infect files with a file size below 4K bytes or above 20M bytes. The virus replaces code at the entry point of the executable with its own code, and appends an encrypted copy of itself to the host file, which increases the size of the infected program. When the file is executed the virus extracts and runs the appended code, and then runs the host program code to hide its presence.
Can steals system information or downloads and executes arbitrary files.

[SYMPTOMS]
File "C:\WINDOWS\system32\vcmgcd32.dll" could be found in infected system.

[DISINFECTION]
It is hard to remove it by hand since the malware modify existing executables.
Get the latest version of Comodo Antivirus and perform a full system scan.