Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Sality


  • This topic is locked This topic is locked
3 replies to this topic

#1 wsbssnj

wsbssnj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 07 October 2010 - 01:40 PM

Hi everyone,

We have a network we're most of the nodes have been infected by the Win32/Sality virus. The first computer to be infected was a windows server 2003 file server. There are many infected machines which seem to have been infected to various degrees, but first and foremost we want to focus on the file server. We can't run microsoft forefront(which appears to have failed us already) or any other program for that matter because of the way this virus corrupts executable files. So we can't install or run any other anti-malware programs. Booting into safe mode would be the obvious next step but we can't do that either (I personally haven't tried because this server and its admin are in India, but I was told safe mode doesn't work). Does anyone have any idea how we should remove this virus?

Thanks,
wsbssnj

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:57 PM

Posted 07 October 2010 - 04:00 PM

Good evening. smile.gif

Sality is what is technically known as a polymorphic file infector - or Fred to it's friends. The polymorphic part means that the code morphs during the infection process in an attempt to adopt a form that scanners haven't identified as malicious and hence will be left alone by said scanners. The infector part is pretty much what it says, it targets Windows executable files with extensions .SCR or .EXE.

The problem that you have in dealing with it is in identifying every infected file and removing it before they can infect further files while at the same time hoping that the PC will maintain the integrity of enough system files to keep itself alive, which isn't really a sensible way to spend your evening.

Basically, you have a number of expensive paperweights that should be isolated to keep the infection from spreading any further and then reformatted and the various OS's reinstalled. No files with either the .exe or .scr extension can be backed-up due to the potential for reinfection of your machines once you put them back.

If you try to remove the slime and miss just one file, you get the infection back again and in a networked environment you just multiply the issue. Sorry that it's not better news, but that's just how it is.

So long, and thanks for all the fish.

 

 


#3 wsbssnj

wsbssnj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 08 October 2010 - 12:21 PM

Yeah thats what I figured actually. Thank you very much for your help.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:57 PM

Posted 08 October 2010 - 02:50 PM

No worries. As this issue appears to have been resolved, or sort of anyway, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users