When there is a physical object that you feel emotionally invested in, there may be a time when it gets ruined, and you feel like seeing a therapist. That is especially true for computers and smartphones. After all, the gadget has been with you for a long time. It has helped you to do a significant portion of work, maintained information about the business better than any employee, and sometimes perhaps allowed you to play virtual games. So, when a virus attacks it, and you fail to notice it early, there is a chance for you to feel depressed because of that.
Nevertheless, even if you are not an IT expert, it is still important for lay individuals to have an idea regarding the malware that can worm its way to the computer and destroy your valuable files. One of the not-so-new viruses that you deserve to know about is the W32.Sality.
What Is It?
The Sality virus (or simply W32.Sality) is a type of malware program that can infect both the .exe and .scr files and can thereby spread in the same amount of time that the action gets carried out. This computer virus consists of the AutoRun function as well. As a result, it is most likely to get into any removable medium that may be saved in the device. Also, this package comes with Trojan software, which can download and install more malware in your computer without your knowledge, especially when you are connected to the internet.
When Did It First Appear?
This security threat made its first appearance in Russia in the year 2003. During that period, the Sality was merely an almost irrelevant infector that people used to initiate the virus code to a host computer and had keylogging and backdoor services. Over the years, it has already improved significantly with its added features, which only makes it an even more dangerous virus. But despite all those significant changes that the said threat has gone through, its signature remains to be the same.
How Does It Infect A Computer?
The payload makes five components function in different threads. Process Injector is the first component, and in this part, all processes except those that belong to the PC handlers’ system, network or local services will get a replica of the virus to make sure that the malware will continue running in the computer.
The second component is the one that reduces or deactivates the overall security that works in the system, and that means to say that the processes and the services, which are protected by the antivirus are also stopped along with other security products. In addition to that, when the registry is modified, the safe boot key entries are to be deleted, and the components like registry editing in accordance to either the Task Manager Creation or the tool called Windows regedit.exe are to be disabled. The firewall rules are to be added as well so that the Sality virus can get network access.
Sality virus also inserts a kernel driver somewhere in the %System%drivers and then does a service that is called “amsint32”. This driver, which is a rootkit, is accountable for two deeds:
1. It ends the processes when it fails to initiate the TerminateProcess(). The rootkit is enabled to start forceful code on a particular practice. On the other hand, this code can only affect the termination procedure so far.
2. The IpFilter callback function that a driver attaches to let the network packets do their job. Ipfltdrv.sys is, by definition, a regular Windows driver that can be installed in the computer by starting the service known as IpFilterDriver. The kernel drivers have a feature that can set a callback, which is then to be summoned by the IpFilter whenever an IP packet enters and exits. The mentioned callback can also decide where the parcel will be dropped or not.
In simpler terms, IpFilter is an accurate and direct method of building a Windows firewall. The virus utilizes the IpFilter to drop each word-containing IP packet that comes from the encrypted strings list which completes the URLs of security vendors. Also, the process can instruct the driver to block the traditional email exchange by dropping SMTP packets.
Whoever has created the Sality virus undoubtedly wants this malware to remain in people’s computers for a long time. You can deduce that based on how it attacks the departments that a person should be able to go to and identify the problem at once. Thus, once you boot the system in Safe mode, you should make sure that every single removable file in the computer has been checked to keep Sality from coming back and depressing you again.