Printable View
I have a server with 4 clients and few days ago when i wanted to open my net program in server from clients, kaspersky alert me this virus (WIN32.SALITY.AA) and blocked my net transfer so i check the server and saw server's kaspersky has been disabled. I cannot even format my hard drive cause it has got important files in it. Please help me.
Have you tried searching forums before posting: http://forums.techarena.in/networkin...ty/1089580.htm
Method of Infection
When executed, Win32/Sality.AA drops a malicious component file to:
%System%\drivers\<random filename>.sys
This component is a device driver that acts as a 'rootkit' at kernel level; it allows the virus to hide itself in the compromised system by changing data structures in the kernel and hiding its malicious activity. This 'rootkit' method only functions on Windows NT-based operating systems, such as NT/2000/XP/2003.
Sality.AA also adds the following registry entry as a part of the device driver installation routine:
HKLM\SYSTEM\CurrentControlSet\Services\abp470n5
It adds the following text to the "system.ini" file located in the %Windows% directory:
[MCIDRV_VER]
DEVICEMB=<random number>
It also adds the following registry key with numerous random subkeys and entries needed for its malicious routine:
HKCU\Software\<computer name><3 random numbers>
For example:
HKCU\Software\JohnSmith498
Note: %System% and %Windows% are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.
Removal Instructions:
Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.
Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.
Disinfecting PE executables
On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it may be possible to run SAV32CLI from a command prompt with the -DI switch.
First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk.
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected.
For more information go to this link.