Avast WEBforum
Other => General Topics => Topic started by: Left123 on October 23, 2010, 08:27:45 PM
-
was reading an article about new version of sality,the part that "blew my mind" when i saw that the new sality adds the driver to the registry branch System\CurrentControlSet\Control\SafeBoot that allows the driver to boot in safe mode.Safe mode won't work..i mean it's completely useless to try to remove the virus in safe mode(correct me if i am wrong)
also:
Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.
-
First thanks for this helpful info,second can you post the original topic from where since the jpg picture is in a bad quality and i cant see any charcter so a better image will be better.
And the other sality"i think"disable safe boot this new one is a bad boy ;)
But i think every bad step will make a good steps so dont worry it just complicate.
-
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
-
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29 GMT ;)
-
Makes me wonder if Win32:FileInfector [Heur] behavior detection can catch these...
-
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29 GMT ;)
eventhough it's the latest version..
-
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29 GMT ;)
eventhough it's the latest version..
Even so, it can hardly be called new when it dates back to march 2010, I strongly doubt that given its age it is the latest/new variant of Sality as it is likely to be constantly modified to try and combat AV developments. They are hardly likely to have left it dormant for over 7 months.
-
well ok it's not new,it's a little "updated" ;D
-
Makes me wonder if Win32:FileInfector [Heur] behavior detection can catch these...
FileInfector [Heur] detect quite a few sality samples.. based on the observation that there are not many undetected samples i believe aleso the new variant is detected...