Avast WEBforum

Other => General Topics => Topic started by: Left123 on October 23, 2010, 08:27:45 PM

Title: A new version of Sality
Post by: Left123 on October 23, 2010, 08:27:45 PM: was reading an article about new version of sality,the part that "blew my mind" when i saw that the new sality adds the driver to the registry branch System\CurrentControlSet\Control\SafeBoot that allows the driver to boot in safe mode.Safe mode won't work..i mean it's completely useless to try to remove the virus in safe mode(correct me if i am wrong)
also:
Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.
Title: Re: A new version of Sality
Post by: superhacker on October 23, 2010, 09:28:23 PM: First thanks for this helpful info,second can you post the original topic from where since the jpg picture is in a bad quality and i cant see any charcter so a better image will be better.
And the other sality"i think"disable safe boot this new one is a bad boy ;)
But i think every bad step will make a good steps so dont worry it just complicate.
Title: Re: A new version of Sality
Post by: Left123 on October 23, 2010, 09:42:41 PM: http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Title: Re: A new version of Sality
Post by: YoKenny on October 24, 2010, 02:43:44 AM: Quote from: Left123 on October 23, 2010, 09:42:41 PM
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29 GMT ;)
Title: Re: A new version of Sality
Post by: RejZoR on October 24, 2010, 04:11:30 AM: Makes me wonder if Win32:FileInfector [Heur] behavior detection can catch these...
Title: Re: A new version of Sality
Post by: Left123 on October 24, 2010, 11:20:59 AM: Quote from: YoKenny on October 24, 2010, 02:43:44 AM
Quote from: Left123 on October 23, 2010, 09:42:41 PM
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29 GMT ;)

eventhough it's the latest version..
Title: Re: A new version of Sality
Post by: DavidR on October 24, 2010, 05:06:53 PM: Quote from: Left123 on October 24, 2010, 11:20:59 AM
Quote from: YoKenny on October 24, 2010, 02:43:44 AM
Quote from: Left123 on October 23, 2010, 09:42:41 PM
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29 GMT ;)

eventhough it's the latest version..

Even so, it can hardly be called new when it dates back to march 2010, I strongly doubt that given its age it is the latest/new variant of Sality as it is likely to be constantly modified to try and combat AV developments. They are hardly likely to have left it dormant for over 7 months.
Title: Re: A new version of Sality
Post by: Left123 on October 24, 2010, 06:13:09 PM: well ok it's not new,it's a little "updated" ;D
Title: Re: A new version of Sality
Post by: Maxx_original on October 24, 2010, 11:03:11 PM: Quote from: RejZoR on October 24, 2010, 04:11:30 AM
Makes me wonder if Win32:FileInfector [Heur] behavior detection can catch these...

FileInfector [Heur] detect quite a few sality samples.. based on the observation that there are not many undetected samples i believe aleso the new variant is detected...