Author Topic: Win32:Sality (Read 20147 times)

Smintar · « **on:** June 12, 2008, 01:08:19 AM »

No way I can repair this and it dl onto my desktop, when I ck the folder and only cks the exe and then its dl and I cannot run the program without avast picking up exe file.

what am I suppose to do?

sckyle2 · « **Reply #1 on:** June 12, 2008, 02:58:56 AM »

I just got a warning on this too, in a program I've been running for months that doesn't run via the net. I see that it's an old virus from 2003 (if I'm reading the Knowledge Base correctly). Is this a false positive? If so what do I do?

Maxx_original · « **Reply #2 on:** June 12, 2008, 10:07:40 AM »

pause the standard shield and send the files to www.virustotal.com analysis... post the scan results here and we'll see

Smintar · « **Reply #3 on:** June 12, 2008, 06:25:41 PM »

Quote from: Smintar on June 12, 2008, 01:08:19 AM

No way I can repair this and it dl onto my desktop, when I ck the folder and only cks the exe and then its dl and I cannot run the program without avast picking up exe file.

what am I suppose to do?

ok after I copied the files there there no indication of an issue however I still get the viruse detected when uploading the patch to mu files also since this happened I am unable to open my e-mail unless I turn it off and I am very reluctant to do so

The server responded with an error. Account: 'incoming.verizon.net', Server: 'incoming.verizon.net', Protocol: POP3, Server Response: '-ERR concurrent connections limit in avast exceeded(pass:20, processes:avp.exe[19], msimn.exe[1]), there is a collision with another program', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

DavidR · « **Reply #4 on:** June 12, 2008, 06:36:24 PM »

what is avp.exe, and why would it require a mail connection ?

My googling returns that it is part of Kaspersky Internet Security ?
So do you still have this on your system as it would appear that it is still checking your email, hence the "there is a collision with another program" part of the error message ?

If so, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

Either that or this is malware (trojan on your system), http://www.liutilities.com/products/wintaskspro/processlibrary/avp/.

You could also check the offending/suspect file avp.exe at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

Smintar · « **Reply #5 on:** June 12, 2008, 07:50:49 PM »

ok I took care of the avp. removed but I still get the win32:sality from trying to exe patch programs from the internet and not able to patch programs due to this

DavidR · « **Reply #6 on:** June 12, 2008, 08:32:19 PM »

My response was only related to the problem you experienced with your email.

You don't say if removing avp.exe resolved that problem with the email ?
Probably more importantly you didn't answer the question about if you have K.I.S. ?
If you don't have K.I.S. did you upload it to virus total and if so what were the results ?

We ask questions to gather information to be able to help, if you don't answer them we are working in the dark.

Maxx suggested you pause the Standard Shield and upload the file to VT and post the results, did you do that ?

What is the infected/suspect file name that keeps getting detected, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Smintar · « **Reply #7 on:** June 12, 2008, 09:39:26 PM »

Quote from: DavidR on June 12, 2008, 08:32:19 PM

My response was only related to the problem you experienced with your email.

You don't say if removing avp.exe resolved that problem with the email ? (yes it did)

Probably more importantly you didn't answer the question about if you have K.I.S. ? (I did but removed it)
If you don't have K.I.S. did you upload it to virus total and if so what were the results ?

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   -
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.12   -
CAT-QuickHeal   9.50   2008.06.12   -
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   suspicious Trojan/Worm
eTrust-Vet   31.6.5868   2008.06.12   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.12   -
Ikarus   T3.1.1.26.0   2008.06.12   -
Kaspersky   7.0.0.125   2008.06.12   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.12   -
NOD32v2   3181   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.12   Suspicious
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.12   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.12   -
TheHacker   6.2.92.345   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   -
Additional information
File size: 4829224 bytes
MD5...: 05956dd3488c409d7289e6b594bbdc7a
SHA1..: 0dede37b108556ed325602aef31f46e66f64acd5
SHA256: 419a610689ab9986f9e18d3872830bc50cd2d53f0c262df5f99b91166137ba95
SHA512: 94cd0a560dce8dfda4bd076c686927b36d7c3996b20993f9583d7aa67c418296
ba94ac80160ace5757f2249da3f0cbaec2d26f9e8109263a937a6d855a1b8f29
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4231f0
timedatestamp.....: 0x41c2a075 (Fri Dec 17 09:01:41 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x15000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x16000 0xe000 0xd400 7.91 ae6e6f43eb688fe8fc281c27b200b08a
.rsrc 0x24000 0x3000 0x2c00 4.64 aa698e5be9250c741d7ff4bc7bb688ac

( 8 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: -
> GDI32.dll: BitBlt
> ole32.dll: CoGetMalloc
> SHELL32.dll: SHGetMalloc
> USER32.dll: IsIconic
> VERSION.dll: VerFindFileA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3BDC6F3128591950B028494E5CAEED008C38D6EC
packers (Kaspersky): UPX
packers (F-Prot): UPX
We ask questions to gather information to be able to help, if you don't answer them we are working in the dark.

Maxx suggested you pause the Standard Shield and upload the file to VT and post the results, did you do that ?

What is the infected/suspect file name that keeps getting detected, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. Ok this is the log from avast

hnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   -
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.12   -
CAT-QuickHeal   9.50   2008.06.12   -
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5868   2008.06.12   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.12   -
Ikarus   T3.1.1.26.0   2008.06.12   -
Kaspersky   7.0.0.125   2008.06.12   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.12   -
NOD32v2   3181   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.12   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.12   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.12   -
TheHacker   6.2.92.345   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   -
Additional information
File size: 164 bytes
MD5...: 5b7fdd9a54ad25044e3d9d0812520705
SHA1..: 1839c232cc94be0cef3338f1b319eeea1f65ac74
SHA256: 00b6c4affe37374ef54b4ec5d745d893fd8e150df3f8be5d2dd2ae68603f283d
SHA512: 395f4a88c629e9164630dec9959522bbe0f4dd8766bedd54917e7acd8d412442
32e2a9dc67eab1fbc7a8067aa53c26c1d274c29a3d153e4eb87524c923e16871
PEiD..: -
PEInfo: -

I hope that this helps

Maxx_original · « **Reply #8 on:** June 12, 2008, 09:45:01 PM »

the virustotal analysis looks clean... can you post here last few lines of your warning.log file? you can find it under the avast directory...

Smintar · « **Reply #9 on:** June 12, 2008, 10:01:26 PM »

Quote from: Maxx_original on June 12, 2008, 09:45:01 PM

the virustotal analysis looks clean... can you post here last few lines of your warning.log file? you can find it under the avast directory...

6/12/2008 3:35:17 PM SYSTEM 848 Sign of "Win32:Sality" has been found in "C:\Program Files (x86)\Paradox Interactive\Take Command - 2nd Manassas\TC2M.exe" file.

Smintar · « **Reply #10 on:** June 12, 2008, 10:03:20 PM »

note: it doesnt matter what site I get this patch from they r all like this. I have to do anything not understanding what is happening

DavidR · « **Reply #11 on:** June 13, 2008, 12:15:36 AM »

If it is indeed a false positive (and it looks that way, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Smintar · « **Reply #12 on:** June 13, 2008, 01:46:28 AM »

If it is indeed a false positive (and it looks that way, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

DavidR: I'm not that computer savy but I open standard shield, customize, advanced, but I do not find Program Settings, exclusion

sckyle2 · « **Reply #13 on:** June 13, 2008, 02:40:14 AM »

Here's the results for the first file - there are about 8 total, all related to the same application - Strat-O-Matic computer baseball. Their tech support told me "the Win32 message is a false positive, people have seen it with our EXE files for a while now." Should I continue to scan and report the rest?

File SomBB.exe received on 06.13.2008 02:29:46 (CET)
Result: 3/32 (9.38%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   -
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.12   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)
Additional information
File size: 3010560 bytes
MD5...: d5fdd74905237698cac52e53a5996760
SHA1..: f80d565619d480c86b84ef3e475dbaab639024e4
SHA256: ec442f6239b9a786509a9bcf5fc0b3493a181ccf4d577866b8dad9f88af30352
SHA512: bd7d9b849b0c47bd45c0dc50681f7e9d6321c0071a2d56e257b10d4768d4e10b
ec8bfe2eb17a37a5fcccc62b2bb6b53a67967e155811392aa87a13d52a53cf95
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x70c4b0
timedatestamp.....: 0x47c2f283 (Mon Feb 25 16:53:23 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1d7a5e 0x1d8000 8.00 2c76eabd4cdd9718bd702e59b3069758
.rdata 0x1d9000 0x24f62 0x25000 7.98 8eec34f50f3279ab8d2aada4ed471841
.data 0x1fe000 0x7c3a8 0x44000 8.00 b31062ce786c09a39c69d7115a6b9343
.rsrc 0x27b000 0x9cc90 0x9d000 5.33 c520f2c71a5ebff6344065aaa1d09c3b

( 2 imports )
> KERNEL32.dll: ExitProcess, LoadLibraryA, FreeLibrary, GetProcAddress, CreateFileA, CloseHandle
> USER32.dll: MessageBoxA

( 0 exports )

oldman · « **Reply #14 on:** June 13, 2008, 03:16:00 AM »

Quote from: Smintar on June 13, 2008, 01:46:28 AM

If it is indeed a false positive (and it looks that way, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

DavidR: I'm not that computer savy but I open standard shield, customize, advanced, but I do not find Program Settings, exclusion

Hi, DavidR is refering to 2 separate exclusion lists

Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

The first is the on access

Standard Shield, Customize, Advanced, Add

the second is the on demand

Program Settings, Exclusions

To reach the on demand lis, right click the "a" icon, click program settings, then exclusions.

Author Topic: Win32:Sality (Read 20147 times)

Smintar

Win32:Sality

sckyle2

Re: Win32:Sality

Maxx_original

Re: Win32:Sality

Smintar

Re: Win32:Sality

DavidR

Re: Win32:Sality

Smintar

Re: Win32:Sality

DavidR

Re: Win32:Sality

Smintar

Re: Win32:Sality

Maxx_original

Re: Win32:Sality

Smintar

Re: Win32:Sality

Smintar

Re: Win32:Sality

DavidR

Re: Win32:Sality

Smintar

Re: Win32:Sality

sckyle2

Re: Win32:Sality

oldman

Re: Win32:Sality