Author Topic: Win32:Sality (Read 20139 times)

Maxx_original · « **Reply #15 on:** June 13, 2008, 09:13:36 AM »

send some samples to virus[at]avast[dot]com as DavidR suggested... we'll analyse the files and fix the detection..

Smintar · « **Reply #16 on:** June 13, 2008, 12:18:57 PM »

Quote from: oldman on June 13, 2008, 03:16:00 AM

Quote from: Smintar on June 13, 2008, 01:46:28 AM
If it is indeed a false positive (and it looks that way, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

DavidR: I'm not that computer savy but I open standard shield, customize, advanced, but I do not find Program Settings, exclusion

Hi, DavidR is refering to 2 separate exclusion lists

Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

The first is the on access

Standard Shield, Customize, Advanced, Add

the second is the on demand

Program Settings, Exclusions

To reach the on demand lis, right click the "a" icon, click program settings, then exclusions.

Ok I put the infected file into both exclusions, and I ran the program seems to work fine atm

Now how long shall I wait till I send the file to you after restoring it? and also ck the file in the chest ??

DavidR · « **Reply #17 on:** June 13, 2008, 02:54:16 PM »

Send the sample to avast now (you are only sending a copy), there is no need to wait, the sooner they get samples the sooner they can analyse them and correct the problem.

Leave checking the file in the chest for a couple of days and check every couple of days. It may be reported in this topic that the FP has been corrected by a VPS update, do a manual update and then check the file in the chest.

sckyle2 · « **Reply #18 on:** June 14, 2008, 12:13:21 AM »

I think I've confused the issue by piggy-backing on the original thread, because I'm not sure who is talking to whom here. Anyway, I've identified 7 different exe files that are associated with the Strat-O-Matic computer baseball game. I'll send them to the Avast virus report. Strat-O-Matic has told me that the report of Win32:Sality is a false positive that has been reported to them "for a while now". I've excluded them from my scan as you explained (thank you!), and the program is running again. I ran them all through VirusTotal, and they all had a similar result - I think the highest report was maybe 12%. If that is of interest here I can post the results for each file, but I don't want to clog up the board if it isn't worthwhile.

Thank you for the help - I was able to get the application running again and am confident that the virus report was false. Great board!

Update: I've discovered that three of the files are too large to send my email. They all report the same virus, and I've sent the ones that I could. Will that be helpful, or is there another way I can submit the large files (ranging from 2.7 to 3 MEG)?

DavidR · « **Reply #19 on:** June 14, 2008, 01:25:21 AM »

There has been a VPS update recently so I would suggest you do a manual update and rescan the files and see if they might have been corrected before doing anything else.

Whilst 12% is high and still suspect, it depends on what scanner detected it and what the malware name was, it might be that those detections were heuristic (prone to FP), so it might be worthwhile posting the results of the VT scans for those with 12%.

All files should be sent for analysis and hopefully correction at which point you can remove the exclusion.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

sckyle2 · « **Reply #20 on:** June 14, 2008, 02:17:16 AM »

OK, I've sent three zipped files as you suggested - baseball.exe, sombb.exe, and another version of baseball.exe that the application uses for online play. These are basically the same program used for different computer setups or online play.

Here's the VirusTotal report on the other files from the same app - they have results ranging from 9% to 18%. The files run various versions of the game, or statistical utilities. This will make for a pretty long post, but since you think it might be useful, here goes:

-----------------------------
File BBPedia.exe received on 06.13.2008 02:47:55 (CET)

Result: 4/32 (12.5%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   (Suspicious) - DNAScan
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.12   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)

----------------------------------------------------
File CM.exe received on 06.13.2008 02:49:17 (CET)

Result: 6/32 (18.75%)


Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   (Suspicious) - DNAScan
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   Type_Win32
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.13   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   Type_Win32
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)

-----------------------------------------
File RM.exe received on 06.13.2008 03:14:30 (CET)

Result: 4/32 (12.5%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   (Suspicious) - DNAScan
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.13   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)

--------------------------------
File WB.exe received on 06.13.2008 03:25:40 (CET)

Result: 4/32 (12.5%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   (Suspicious) - DNAScan
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.13   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)

----------------------------
File Baseball.exe received on 06.13.2008 02:46:32 (CET)

Result: 3/32 (9.38%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   -
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.12   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)

-----------------------
(Online version for Baseball.exe)
File Baseball.exe received on 06.13.2008 02:37:19 (CET)

Result: 3/32 (9.38%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.0   2008.06.12   -
AntiVir   7.8.0.55   2008.06.12   -
Authentium   5.1.0.4   2008.06.12   -
Avast   4.8.1195.0   2008.06.12   Win32:Sality
AVG   7.5.0.516   2008.06.12   -
BitDefender   7.2   2008.06.13   -
CAT-QuickHeal   9.50   2008.06.12   -
ClamAV   0.92.1   2008.06.12   -
DrWeb   4.44.0.09170   2008.06.12   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5870   2008.06.13   -
Ewido   4.0   2008.06.12   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.12   -
Fortinet   3.14.0.0   2008.06.12   -
GData   2.0.7306.1023   2008.06.12   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.13   -
Kaspersky   7.0.0.125   2008.06.13   -
McAfee   5316   2008.06.12   -
Microsoft   1.3604   2008.06.13   -
NOD32v2   3182   2008.06.12   -
Norman   5.80.02   2008.06.12   -
Panda   9.0.0.4   2008.06.12   -
Prevx1   V2   2008.06.13   -
Rising   20.48.32.00   2008.06.12   -
Sophos   4.30.0   2008.06.13   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.13   -
TheHacker   6.2.92.346   2008.06.12   -
VBA32   3.12.6.7   2008.06.12   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.12   Virus.Win32.FileInfector.gen (suspicious)

Maxx_original · « **Reply #21 on:** June 14, 2008, 09:56:59 AM »

it's some freaky packer, which looks like sality infected file probably.. we'll analyse the samples...

DavidR · « **Reply #22 on:** June 14, 2008, 01:23:38 PM »

@ sckyle2
Thanks for taking the time to get the VT data and post it, looks like the virus labs team are on the case now.

Where it is only avast, gdata (that uses avast as one of its two scanning engines) and webwasher gateway (which is detecting using heuristics, suspicious classification) then I would think that it is an FP. This should be confirmed and corrected by the labs in due course.

Where this also includes other detections which also are classed as suspicious, they too are using heuristic detection.

So the only one I would be overly concerned with would be cm.exe, but even then that isn't clear cut as the other detections are using wording like Type_Win32 which isn't really a signature detection more of a an it might be a type of win32 virus, almost like the suspicious of the other detections.

So we will have to see what the outcome is of the the analysis of the files you sent, but personally I think you are OK (for what that's worth).

neilbaer · « **Reply #23 on:** June 14, 2008, 06:33:21 PM »

Hello,

I have encountered the same problem with Win32:Sality for my Strat-o-Matic Computer Hockey files.

File SOMH32.EXE received on 06.13.2008 20:22:08 (CET)

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.6.13.1;2008.06.13;-
AntiVir;7.8.0.55;2008.06.13;-
Authentium;5.1.0.4;2008.06.12;-
Avast;4.8.1195.0;2008.06.13;Win32:Sality
AVG;7.5.0.516;2008.06.13;-
BitDefender;7.2;2008.06.13;-
CAT-QuickHeal;9.50;2008.06.13;-
ClamAV;0.92.1;2008.06.13;-
DrWeb;4.44.0.09170;2008.06.13;-
eSafe;7.0.15.0;2008.06.12;-
eTrust-Vet;31.6.5871;2008.06.13;-
Ewido;4.0;2008.06.13;-
F-Prot;4.4.4.56;2008.06.12;-
F-Secure;6.70.13260.0;2008.06.13;-
Fortinet;3.14.0.0;2008.06.13;-
GData;2.0.7306.1023;2008.06.13;Win32:Sality
Ikarus;T3.1.1.26.0;2008.06.13;-
Kaspersky;7.0.0.125;2008.06.13;-
McAfee;5317;2008.06.13;-
Microsoft;None;2008.06.13;-
NOD32v2;3185;2008.06.13;-
Norman;5.80.02;2008.06.13;-
Panda;9.0.0.4;2008.06.12;-
Prevx1;V2;2008.06.13;-
Rising;20.48.42.00;2008.06.13;-
Sophos;4.30.0;2008.06.13;-
Sunbelt;3.0.1145.1;2008.06.05;-
Symantec;10;2008.06.13;-
TheHacker;6.2.92.346;2008.06.12;-
VBA32;3.12.6.7;2008.06.12;-
VirusBuster;4.3.26:9;2008.06.12;-
Webwasher-Gateway;6.6.2;2008.06.13;Virus.Win32.FileInfector.gen (suspicious)
-----------------------------------------------------------------------------
File RM.exe received on 06.13.2008 20:42:02 (CET)

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.6.13.1;2008.06.13;-
AntiVir;7.8.0.55;2008.06.13;-
Authentium;5.1.0.4;2008.06.12;-
Avast;4.8.1195.0;2008.06.13;Win32:Sality
AVG;7.5.0.516;2008.06.13;-
BitDefender;7.2;2008.06.13;-
CAT-QuickHeal;9.50;2008.06.13;(Suspicious) - DNAScan
ClamAV;0.92.1;2008.06.13;-
DrWeb;4.44.0.09170;2008.06.13;-
eSafe;7.0.15.0;2008.06.12;-
eTrust-Vet;31.6.5871;2008.06.13;-
Ewido;4.0;2008.06.13;-
F-Prot;4.4.4.56;2008.06.12;-
F-Secure;6.70.13260.0;2008.06.13;-
Fortinet;3.14.0.0;2008.06.13;-
GData;2.0.7306.1023;2008.06.13;Win32:Sality
Ikarus;T3.1.1.26.0;2008.06.13;-
Kaspersky;7.0.0.125;2008.06.13;-
McAfee;5317;2008.06.13;-
Microsoft;None;2008.06.13;-
NOD32v2;3185;2008.06.13;-
Norman;5.80.02;2008.06.13;-
Panda;9.0.0.4;2008.06.12;-
Prevx1;V2;2008.06.13;-
Rising;20.48.42.00;2008.06.13;-
Sophos;4.30.0;2008.06.13;-
Sunbelt;3.0.1145.1;2008.06.05;-
Symantec;10;2008.06.13;-
TheHacker;6.2.92.346;2008.06.12;-
VBA32;3.12.6.7;2008.06.12;-
VirusBuster;4.3.26:9;2008.06.12;-
Webwasher-Gateway;6.6.2;2008.06.13;Virus.Win32.FileInfector.gen (suspicious)

neilbaer · « **Reply #24 on:** June 14, 2008, 06:43:08 PM »

Sorry, I forgot to include the last file:

File HKPedia.exe received on 06.14.2008 18:39:27 (CET)

Result: 4/32 (12.5%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.1   2008.06.13   -
AntiVir   7.8.0.55   2008.06.14   -
Authentium   5.1.0.4   2008.06.14   -
Avast   4.8.1195.0   2008.06.14   Win32:Sality
AVG   7.5.0.516   2008.06.13   -
BitDefender   7.2   2008.06.14   -
CAT-QuickHeal   9.50   2008.06.14   (Suspicious) - DNAScan
ClamAV   0.92.1   2008.06.14   -
DrWeb   4.44.0.09170   2008.06.14   -
eSafe   7.0.15.0   2008.06.12   -
eTrust-Vet   31.6.5873   2008.06.14   -
Ewido   4.0   2008.06.14   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.13   -
Fortinet   3.14.0.0   2008.06.14   -
GData   2.0.7306.1023   2008.06.14   Win32:Sality
Ikarus   T3.1.1.26.0   2008.06.14   -
Kaspersky   7.0.0.125   2008.06.14   -
McAfee   5317   2008.06.13   -
Microsoft   1.3604   2008.06.14   -
NOD32v2   3186   2008.06.13   -
Norman   5.80.02   2008.06.13   -
Panda   9.0.0.4   2008.06.14   -
Prevx1   V2   2008.06.14   -
Rising   20.48.52.00   2008.06.14   -
Sophos   4.30.0   2008.06.14   -
Sunbelt   3.0.1145.1   2008.06.05   -
Symantec   10   2008.06.14   -
TheHacker   6.2.92.349   2008.06.13   -
VBA32   3.12.6.7   2008.06.14   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.14   Virus.Win32.FileInfector.gen(suspicious)

DavidR · « **Reply #25 on:** June 14, 2008, 06:50:43 PM »

Certainly looks like an FP, first ensure you have the latest VPS update, if they are still detected,
see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

neilbaer · « **Reply #26 on:** June 14, 2008, 07:34:06 PM »

Hi again,

Sorry to be a pain, but how do I send files from the chest? I keep getting the follow error message: ``The program cannot use email.'' I would send zipped files, but I do not have a way to password protect it. Thanks.

DavidR · « **Reply #27 on:** June 14, 2008, 08:31:21 PM »

first are you using an email program that uses pop3 and smtp to send email rather than using webmail viewed through your browser ?

If using an email program and smtp/pop3 email ensure the Program Settings, SMTP section, account details are completed. These details are basically a copy of the account information for your default email account in your email program.

Maxx_original · « **Reply #28 on:** June 15, 2008, 02:30:20 PM »

the FP should be fixed already.. it was a quite suspicious packer... the entry point of main exe was placed into an embedded exe and other strange features were present too... it's always difficult to ballance the detection to catch the valid infection and to exclude some stupid evil looking packers, scramblers etc..

Lisandro · « **Reply #29 on:** June 15, 2008, 08:12:39 PM »

Thanks Maxx.
Sometimes is good to know the 'reason' for false positives.

Author Topic: Win32:Sality (Read 20139 times)

Maxx_original

Re: Win32:Sality

Smintar

Re: Win32:Sality

DavidR

Re: Win32:Sality

sckyle2

Re: Win32:Sality

DavidR

Re: Win32:Sality

sckyle2

Re: Win32:Sality

Maxx_original

Re: Win32:Sality

DavidR

Re: Win32:Sality

neilbaer

Re: Win32:Sality

neilbaer

Re: Win32:Sality

DavidR

Re: Win32:Sality

neilbaer

Re: Win32:Sality

DavidR

Re: Win32:Sality

Maxx_original

Re: Win32:Sality

Lisandro

Re: Win32:Sality