Sunday, May 10, 2009

Sality virus discovered in June 4 2003. This virus has keylogger and backdoor capability. Infecting all *.exe (applications) files and running windows infected program in background such as moviemk.exe and run duplicated windows system files.
This virus also disabled task manager and regedit, make folder options change no effect and make computer run slower off course. This virus spread by network connections that have file sharing enabled or by removable media such as zipdisk, diskette and CD (rarely).

When infected zipdisk plugged in to clean computer it will run automatically controlled by autorun.ini and search and kill any active antiviruse software even if it has an uptodate virus definition database. In norton antivirus it will prompt error in autoprotect (navapsvc.exe) but that is ok just let the error prompt open and don't press any command button because if you do the virus will kill norton autoprotect service and control your computer, begin scan imedietly in infected media. It will usually find one or more hidden undeletable file by antivirus thats mean we have to delete it manually. Go to folder options --> view --> select show hidden files and folder and uncheck hide protected operating system files. Go to the locations where antivirus detect it and delete it.

How to avoid it.
  1. Disable autorun for any removable media by pressing shift key while inserting CDROM or zipdisk to avoid running autorun.ini program.
  2. Change folder options setting to view all hidden files including protected windows system files and show the file extensions to see if a file have double extensions.
  3. Antivirus software with up to date database.
  4. Be very aware before running unknown program.
How to disinfect.
  1. Uninstall any antivirus that already been taken over by sality.
  2. Because task manager and regedit disabled, install process explorer. See the process and kill any suspicious software or any uncritical windows program.
  3. Reinstall your antivirus and update with the latest virus database.
  4. Disable system restore. The virus might hide there.
  5. Complete scan your computer. If access denied or unable to repair or delete because the infected file running, kill using process explorer.
  6. Restart after completing complete scan.
  7. Check your antivirus software. If its still running the virus has been destroyed if not follow the next step.
  8. Take the hardisk out and put in clean computer with update antivirus software and scan there. After scan finished put the hardisk back to its origin CPU.


Template by>

Back to TOP