Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Sality.Gen Infection


  • Please log in to reply
7 replies to this topic

#1 tshilling

tshilling

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 01 April 2009 - 11:25 AM

Good morning. Last night I was called to a clients location to work on a machine that was running very sluggish. Single machine running XP Home w/SP2. The first thing I discovered was that Task Manager, Regedit and so on were blocked. Tried booting to safe mode but that failed as well. So I broke out my trusty flash drive where I keep all of my 'tools' and began the cleanup process - the same process I've used countless times. Only this time it didn't work.

I first ran Sysinternals RootkitRevealer which identified 611 descrepancies. Next I ran ATF Cleaner, followed by the latest version of ComboFix. Finally I ran Malwarebytes and SuperAntiSpyware to clean up anything that remained. This did seem to help the overall performance, but the underlying problem remains. Only upon returning to the office this morning and plugging my flash into a test box did I discover that my flash was now infected with a W32/Sality.Gen worm/virus. I've spent most of the morning trying to find a way to clean this out but have had little luck so far. Does anyone know of solid removal method? Any help would be appreciated. Thanks.

Troy

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:06 AM

Posted 01 April 2009 - 01:48 PM

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web.

About Sality Virus
Win32/Sality Family

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before co

There is no guarantee the infection can be completely removed. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Should you decide not to follow that advice, you can try the AVG Win32/Sality Remover. It was last updated in June 2007 and is not always effective for the reasons I indicated above. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights. alternate download

Since this infection is often spread via USB Flash drives, I recommend you also do the following:

Please download Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run the tool and follow any prompts that may appear.
  • If asked to insert your USB flash drive and other removable drives, please do so and allow the utility to clean up them as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tshilling

tshilling
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 01 April 2009 - 02:17 PM

Thanks for the info Quietman. Not exactly the news I was hoping for, but it is what it is. I'll give your suggestions a try and see how it goes. Thanks again.

Troy

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:06 AM

Posted 01 April 2009 - 02:29 PM

Not a problem.

You can also try a tool by Trend Micro.

Please download Sysclean Package and the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number) and save them to your desktop.
  • Be sure to print out and follow the instructions provided in the How to Use System Cleaner for performing a scan.
  • If you get a message that "required files are missing", click Ok and wait for sysclean.com to unpack them.
  • This tool generates a log file (sysclean.log) in the same folder where you ran it - C:\Sysclean.
-- When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

-- Some anti-virus programs will alert you of a virus attack when running sysclean so it's best to disable them before performing a scan.


Good luck.

Edited by quietman7, 01 April 2009 - 02:30 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tshilling

tshilling
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 01 April 2009 - 03:12 PM

Cool, thanks. I'm trying the TrendMicro solution on a different machine right now to see how well it works.
I appreciate all of your help. I'll let you know later in the week how things went.

Troy

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:06 AM

Posted 01 April 2009 - 05:00 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 tshilling

tshilling
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 13 April 2009 - 11:28 AM

Unfortunately none of the tools worked. Evidently the machine was too far gone by the time I started working on it. I finally had to scrub the hard drive and reload. Thanks anyway for your assistance.

On another note, we're seeing some new malware variations on our customers machines. So far we've recently run across System Security 2009, Malware Defender, Spyware Protect 2009 and Generic RootKit.w. I may be looking for some assistance on removing them if our current methods don't work. Thanks.

Troy

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:06 AM

Posted 13 April 2009 - 11:57 AM

Sometimes a reformat is the best solution. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend disabling this feature as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users