We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Sality
Aliases: No associated aliases
Summary
Windows Defender detects and removes this threat.
This malware family can steal your personal information and lower your PC security settings.
- Stop your security software from running
- Steal your sensitive information
- Download and run other files
- Delete security-related files from your PC
- Lower your PC security settings
Use the following free Microsoft software to detect and remove this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
You should also run a full scan. A full scan might find other hidden malware.
Advanced troubleshooting
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
Enable registry editor
This threat might prevent Registry Editor from running. To allow the Registry Editor to run, follow these steps:
- Click Start then Run and type cmd to run a command prompt.
- In the command prompt, type the following and press Enter:
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f - Type exit.
Restore your PC
This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:
- Restore my system registry:
- For Windows 7
- For Windows Vista
- For Windows XP
- Restore security settings to a known working state
- View hidden and/or system files:
- For Windows 7
- For Windows Vista
- For Windows XP
- Start Windows services:
- For Windows 7
- For Windows Vista
- For Windows XP
- Enable Task Manager:
- For Windows Vista
- For Windows XP
- Enable Windows Firewall:
- For Windows 8
- For Windows 7
- For Windows Vista
- For Windows XP
- Enable Windows Security Center/Action Center alerts:
- For Windows 8
- For Windows 7
- For Windows Vista
- For Windows XP
- Correct "disable Autorun registry key" enforcement in Windows
- For other support and help related articles, go to:
- Microsoft Security TechNet Center
Get more help
You can also see our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names:
- <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
- <system folder>\wmdrtc32.dl_ - this is a compressed copy of the virus code
Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.
Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.
We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm.
Spreads through
Win32/Sality usually targets all files in drive C: that have .exe or .scr file extensions, beginning with the root folder, and injects its code into them. Infected files increase in size by a varying amount.
The virus also targets programs that run at each Windows start and frequently used applications by checking the following registry keys:
- HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32/Sality avoids infecting the following categories of files so that it remains hidden:
- Files protected by System File Checker (SFC)
- Files under the %SystemRoot% folder
- The executable files of several antivirus and firewall products; in particular it avoids infecting files with names containing any of the following words:
_AVPM
A2GUARD
AAVSHIELD
ADVCHK
AHNSD
AIRDEFENSE
ALERTSVC
ALOGSERV
ALSVC
AMON
ANTI-TROJAN
ANTIVIR
APVXDWIN
ARMOR2NET
ASHAVAST
ASHDISP
ASHENHCD
ASHMAISV
ASHPOPWZ
ASHSERV
ASHSIMPL
ASHSKPCK
ASHWEBSV
ASWUPDSV
ATCON
ATUPDATER
ATWATCH
AVAST
AVCENTER
AVCIMAN
AVCONSOL
AVENGINE
AVESVC
AVGAMSVR
AVGCC
AVGCC32
AVGCTRL
AVGEMC
AVGFWSRV
AVGNT
AVGNTDD
AVGNTMGR
AVGSERV
AVGUARD
AVGUPSVC
AVINITNT
AVKSERV
AVKSERVICE
AVKWCTL
AVP
AVP32
AVPCC
AVPM
AVSCHED32
AVSERVER
AVSYNMGR
AVWUPD32
AVWUPSRV
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVZ
BDMCON
BDNEWS
BDSUBMIT
BDSWITCH
BLACKD
BLACKICE
CAFIX
CCAPP
CCEVTMGR
CCPROXY
CCSETMGR
CFIAUDIT
CLAMTRAYCLAMWIN
CLAW95
CUREIT
DEFWATCH
DRVIRUS
DRWADINS
DRWEB32W
DRWEBSCD
DRWEBUPW
DWEBIO
DWEBLLIO
EKRN
ESCANH95
ESCANHNT
EWIDOCTRL
EZANTIVIRUSREGISTRATIONCHECK
F-AGNT95
FAMEH32
FILEMON
FIRESVC
FIRETRAY
FIREWALL
FPAVUPDM
F-PROT95
FRESHCLAM
FSAV32
FSAVGUI
FSBWSYS
F-SCHED
FSDFWD
FSGK32
FSGK32ST
FSGUIEXE
FSMA32
FSMB32
FSPEX
FSSM32
F-STOPW
GCASDTSERV
GCASSERV
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER
GUARDGUI
GUARDNT
HREGMON
HRRES
HSOCKPE
HUPDATE
IAMAPP
IAMSERV
ICLOAD95
ICLOADNT
ICMON
ICSSUPPNT
ICSUPP95
ICSUPPNT
IFACE
INETUPD
INOCIT
INORPC
INORT
INOTASK
INOUPTNG
IOMON98
ISAFE
ISATRAY
ISRV95
ISSVC
KAV
KAVMM
KAVPF
KAVPFW
KAVSTART
KAVSVC
KAVSVCUIKMAILMON
KPFWSVC
MCAGENT
MCMNHDLR
MCREGWIZ
MCUPDATE
MCVSSHLD
MINILOG
MYAGTSVC
MYAGTTRY
NAVAPSVC
NAVAPW32
NAVLU32
NAVW32
NEOWATCHLOG
NEOWATCHTRAY
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPAVTRAY
NPAVTRAY
NPFMNTOR
NPFMSG
NPROTECT
NSCHED32
NSMDTR
NSSSERV
NSSTRAY
NTOS
NTRTSCAN
NTXCONFIG
NUPGRADE
NVCOD
NVCTE
NVCUT
NWSERVICE
OFCPFWSVC
OP_MON
OUTPOST
PAVFIRES
PAVFNSVR
PAVKRE
PAVPROT
PAVPROXY
PAVPRSRV
PAVSRV51
PAVSS
PCCGUIDE
PCCIOMON
PCCNTMON
PCCPFW
PCCTLCOM
PCTAV
PERSFW
PERTSK
PERVAC
PNMSRV
POP3TRAP
POPROXY
PREVSRV
PSIMSVC
QHM32
QHONLINE
QHONSVC
QHPF
QHWSCSVC
RAVMON
RAVTIMER
RFWMAIN
RTVSCAN
RTVSCN95
RULAUNCHSALITY
SAVADMINSERVICE
SAVMAIN
SAVPROGRESS
SAVSCAN
SCANNINGPROCESS
SDHELP
SHSTAT
SITECLI
SPBBCSVC
SPHINX
SPIDERCPL
SPIDERML
SPIDERNT
SPIDERUI
SPYBOTSD
SPYXX
SS3EDIT
STOPSIGNAV
SWAGENT
SWDOCTOR
SWNETSUP
SYMLCSVC
SYMPROXYSVC
SYMSPORT
SYMWSC
SYNMGR
TAUMON
TBMON
TFAK
THAV
THSM
TMAS
TMLISTEN
TMNTSRV
TMPFW
TMPROXY
TNBUTIL
TRJSCAN
UP2DATE
VBA32ECM
VBA32IFS
VBA32LDR
VBA32PP3
VBSNTW
VCHK
VCRMON
VETTRAY
VIRUSKEEPER
VPTRAY
VRFWSVC
VRMONNT
VRMONSVC
VRRW32
VSECOMR
VSHWIN32
VSMON
VSSERV
VSSTAT
WATCHDOG
WEBPROXY
WEBSCANX
WEBTRAP
WGFE95
WINAW32
WINROUTE
WINSS
WINSSNOTIFY
WRCTRL
XCOMMSVR
ZAUINST
ZLCLIENT
ZONEALARM
Removable drives and network shares
Some Sality variants can infect legitimate files which are then moved to available removable drives and shared network folders.
One of the following legitimate files, if it exists, is copied into the %TEMP% folder, then infected:
- <system folder>\NOTEPAD.EXE
- <system folder>\WINMINE.EXE
- <system folder>\TELNET.EXE
The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:
- \<random file name>.pif
- \<random file name>.exe
- \<random file name>.cmd
The Sality variant also creates an autorun.inf file in the root of all these drives that points to the infected file. When a drive is accessed from a PC supporting the Autorun feature, the file is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from PC to PC.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Deletes security-related files
Sality variants usually try to delete files related to antivirus updates, like those with the following file extensions:
- .avc
- .key
- .trj
- .vdb
Some variants, like Virus:Win32/Sality.G, try to delete files that have the following strings in their file names:
- AHEAD
- ALER
- ANDA
- ANTI 0
- CLEAN
- GUAR
- OUTP
- SCAN
- TOTAL
- TREN
- TROJ
- ZONE
Ends or closes security-related processes
Win32/Sality commonly searches for and tries to end or close security applications, particularly antivirus and personal firewall programs. It tries to end or close security applications containing the same strings as the files it avoids infecting in the Spreads through... section.
It also searches for and tries to close processes that contain or load modules that have the following substrings:
- DWEBILLIO
- DWEBIO
It may also close the following security-related services:
| acssrv Agnitum Client Security Service ALG Amon monitor aswFsBlk aswMon2 aswRdr aswSP aswTdi aswUpdSv AV Engine avast! Antivirus avast! Asynchronous Virus Monitor avast! iAVS4 Control Service avast! Mail Scanner avast! Self Protection avast! Web Scanner AVG E-mail Scanner Avira AntiVir Premium Guard Avira AntiVir Premium MailGuard Avira AntiVir Premium WebGuard AVP avp1 BackWeb Plug-in - 4476822 bdss BGLiveSvc BlackICE CAISafe ccEvtMgr ccProxy ccSetMgr cmdAgent |
cmdGuard COMODO Firewall Pro Sandbox Driver Eset HTTP Server Eset Personal Firewall Eset Service F-Prot Antivirus Update Monitor fsbwsys FSDFWD F-Secure Gatekeeper Handler Starter FSMA Google Online Services InoRPC InoRT InoTask ISSVC KLIF KPF4 LavasoftFirewall LIVESRV McAfeeFramework McShield McTaskManager navapsvc NOD32krn NPFMntor NSCService Outpost Firewall main module OutpostFirewall PAVFIRES PAVFNSVR PavProt PavPrSrv |
PAVSRV PcCtlCom PersonalFirewal PREVSRV ProtoPort Firewall service PSIMSVC RapApp SavRoam SmcService SNDSrvc SPBBCSvc SpIDer FS Monitor for Windows NT SpIDer Guard File System Monitor SPIDERNT Symantec AntiVirus Symantec AntiVirus Definition Watcher Symantec Core LC Symantec Password Validation tcpsr Tmntsrv TmPfw tmproxy UmxAgent UmxCfg UmxLU UmxPol vsmon VSSERV WebrootDesktopFirewallDataService WebrootFirewall XCOMM |
Blocks access to security-related domains
Some Win32/Sality variants block access to any URL containing any of these words or phrases:
- agnmitum
- bitdefender
- cureit
- drweb
- eset.com
- etrust.com
- ewido
- f-secure
- kaspersky
- mcafee
- onlinescan.
- pandasoftware
- sality-remov
- sophos
- spywareguide
- spywareinfo
- symantec
- trendmicro
- upload_virus
- virusinfo
- virusscan
- virustotal
- windowsecurity
Steals sensitive information
Some Win32/Sality variants can steal passwords you've stored on your PC and can log keystrokes you enter. For example, in the wild we have observed Virus:Win32/Sality.AT downloading and running TrojanSpy:Win32/Keatep.B, which steals FTP server credentials.
We've also observed Virus:Win32/Sality.G dropping a component - Virus:Win32/Sality.G.dll - that logs keystrokes and steals passwords and information about your PC, like the domain it is connected to and the PC's name, and sends it to a remote server, like:
- kukunet11581q.com
- rus0396kuku.com
Downloads and runs other files
Win32/Sality variants usually try to download and run other files. They may first try to connect to www.microsoft.com to check for Internet connectivity. These files may include other malware, like TrojanSpy:Win32/Keatep.B.
The files are downloaded into the %TEMP% folder and decrypted using one of several hardcoded passwords, which include:
- GdiPlus.dll
- kukutrusted!.
The following is a list of domains to which Win32/Sality might connect to and download files from:
- bpfq02.com
- f5ds1jkkk4d.info
- g1ikdcvns3sdsal.info
- h7smcnrwlsdn34fgv.info
- hkukud123ncs.info
- inform1ongung.info
- klkjwre77638dfqwieuoi888.info
- kukutrustnet.info
- kukutrustnet.org
- kukutrustnet777888 .info/
- lukki6nd2kdnc.info
Injects code into running processes
Most of the payload of Win32/Sality is run in the context of other processes. This makes cleaning harder and lets the malware to bypass some firewalls. To avoid multiple injections in the same process, a system-wide mutex called <process name>.exeM_<process ID>_ is created for every process in which code is injected.
Prevents Windows from booting up in Safe Mode
Win32/Sality variants recursively delete all registry values and data under the following registry subkeys, preventing you from starting Windows in Safe Mode:
- HKCU\System\CurrentControlSet\Control\SafeBoot
- HKLM\System\CurrentControlSet\Control\SafeBoot
Some variants of Win32/Sality drop a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality. Its purpose is to:
- Close or end security-related processes - Trojan:WinNT/Sality ends processes to bypass the self-protection of some antivirus programs
- Block access to security-related websites - Trojan:WinNT/Sality denies access to a list of hardcoded URLs. This technique works only on Windows XP, Windows 2003, and Windows 2000
- Disable SSDT hooks - Trojan:WinNT/Sality removes SSDT hooks to prevent certain security products from working properly; SSDT hooks are often used by security programs to function properly
Changes %SystemRoot%\system.ini
Win32/Sality adds the following section to the configuration file %SystemRoot%\system.ini:
[MCIDRV_VER]
DEVICEMB=<random string>
The section acts as an infection marker.
Connects to a peer-to-peer (P2P) network
PCs infected with some versions of Win32/Sality, like Virus:Win32/Sality.AT, and Virus:Win32/Sality.AU, connect to other infected PCs by joining a peer-to-peer (P2P) network. From other PCs in the P2P network, they receive URLs pointing to additional malware components.
The P2P network uses UDP connections from your PC to the network. All the messages exchanged on the P2P network are encrypted. The local UDP port number used to connect to the network is generated as a function of the PC name. At the time of analysis, we were unable to confirm that nature of the messages.
Lowers PC security
Win32/Sality variants may try to lower Windows security.
Some variants may run the following netsh command to disable the Windows Firewall:
- netsh firewall set opmode disable
Variants may also make the following changes to the registry to change or lower security settings:
- Disable User Account Control (UAC):
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
- change Windows Firewall to let Internet communication:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<Win32/Sality file name>"
With data: "<Win32/Sality file name>:*:enabled:ipsec"
- Disable Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"
- Redirect netsh event tracing session logging:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: "LogSessionName"
With data: "stdout"
- Turnsoff monitoring the installed antivirus software from within the Microsoft Security Center:
In subkeys:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1"
- Turn off security alerts in Windows Security Center:
In subkeys:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets values:
FirewallDisableNotify
UacDisableNotify
UpdatesDisableNotify"
With data: "1"
- Disable Windows Task Manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"
- Turn "Offline Mode" off in Microsoft Internet Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "GlobalUserOffline"
With data: "0"
- Let hidden files remain hidden:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
- Prevent access to registry editing tools like regedit:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
Further reading
- Stuxnet, malicious .LNKs, ...and then there was Sality
- Pramro and Sality - two PEs in a pod
- Are Viruses Making a Comeback?
- The Threat Landscape in the Middle East – Part 2: The Palestinian Authority and Iraq
Related encyclopedia entries
- Trojan:WinNT/Sality
- TrojanSpy:Win32/Keatep.B
- Virus:Win32/Sality.AM
- Virus:Win32/Sality.G
- Virus:Win32/Sality.G.dll
- Virus:Win32/Sality.AT
- Virus:Win32/Sality.AU
- Win32/Bagle
- Worm:Win32/Bagle.IF@mm
- Worm:Win32/Sality.AU
Analysis by Hamish O'Dea, Edgardo Diaz Jr, and Horea Coroiu
Prevention
The following can indicate that you have this threat on your PC:
- The presence of the following files:
- <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
- <system folder>\wmdrtc32.dl_ - this is a compressed copy of the virus code
- Infected files might unexpectedly increase in size
- Antivirus and firewall applications might fail to function
- Windows Task Manager and Windows Registry Editor might be disabled
- There is encrypted UDP traffic originating from unexpected applications
