McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Malware Information

Malware nameWin32.Sality.Y
TypeVirus
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum9B1A5040C460C4C21E757C9859FA4540
Static fileno
Filesize172,543 Bytes
Alias names
(also known as)
SophosW32/Sality-AM
McAfeeW32/Sality.ag
CA ETrustWin32/Sality.AA
Side effects
  • Lowers security settings
  • Registry modification
Propagation
  • Local network
  • Mapped network drives

Description:

Registry

The value of the following registry key is removed:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]


It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List]
• "c:\\%filename%"="c:\\%filename%:*:Enabled:ipsec"
• "c:\windows\\system32\\ctfmon.exe"="c:\windows\\system32\\ctfmon.exe:*:Enabled:ipsec"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Security Center]
Old value:
• "AntiVirusDisableNotify"=dword:00000000
• "FirewallDisableNotify"=dword:00000000
• "UpdatesDisableNotify"=dword:00000000
• "AntiVirusOverride"=dword:00000000
• "FirewallOverride"=dword:00000000
New value:
• "AntiVirusDisableNotify"=dword:00000001
• "FirewallDisableNotify"=dword:00000001
• "UpdatesDisableNotify"=dword:00000001
• "AntiVirusOverride"=dword:00000001
• "FirewallOverride"=dword:00000001
• "UacDisableNotify"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• "Hidden"=dword:00000001
New value:
• "Hidden"=dword:00000002
McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND MCAFEE® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL MCAFEE® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL MCAFEE® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.