Scanning on Boot x Scanning on Windows

[wing.man.001]

Hello,

I just had a problem scanning my system. I was infected by two malwares (Win32: Rootkit-gen and Win32: Sality) and the only way to found them was scanning the boot. The regular scan, on Windows, did not work.

Can anyone help me understand why did it happen?

Thanks!

[Tarq57]

You better have a look at what appears to be a thorough description here:http://www.ca.com/securityadvisor/virusinfo/virus.aspx?ID=52797
It's all pertinent, what might partly answer your question is this excerpt:

Win32/Sality Family

Date Published:
20 Mar 2006

Last Updated:
23 Mar 2006
Threat Assessment
Overall Risk:   Low
Wild:  Low
Destructiveness:  High
Pervasiveness:  Low
Characteristics

Type : Virus

Category : Win32

Also known as:  W32.HLLP.Sality (Symantec)
Immediate Protection Info
 
 
Tools    

Download signature files Download signature files

Scan for viruses Scan for viruses
   

Submit a Virus Sample Submit a Virus Sample
 
Description
Method of Infection
Method of Distribution
Payload
Additional Information
 
Description
Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.

Back to top
Method of Infection

When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code.

Some examples of the names used by the Sality DLL file as reported to CA from the wild include the following:

    * %System%\syslib32.dll
    * %System%\oledsp32.dll
    * %System%\olemdb32.dll
    * %System%\wcimgr32.dll
    * %System%\wmimgr32.dll

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Many variants of Sality also attempt to infect executable files referenced by values in the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This enables the virus to run at each Windows start.

Back to top
Method of Distribution
Via File Infection

Sality searches local drives C:\ to Y:\ for Windows PE executable files to infect. Some variants do not infect files with a file size below 4K bytes or above 20M bytes. The virus replaces code at the entry point of the executable with its own code, and appends an encrypted copy of itself to the host file, which increases the size of the infected program. When the file is executed the virus extracts and runs the appended code, and then runs the host program code to hide its presence.

(My bolding).
It is also implicated in the disabling of virus database files, and a fairly good number of AV's (see the description as linked.)
The list of those processes doesn't appear to include Avast, but the list is not necessarily complete.
Were you able to quarantine it from the Avast boot scan?

[Lisandro]

Sality is a very dangerous virus. Backup as fast as you can.
Maybe you should run a full computer on-line scanning:
Kaspersky
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender

[wing.man.001]

Thank you for your answers,

What I really want to know is why the regular scan on windows did not work properly and only when I did the scan on boot it recognized all the files infected so I could delete them.

The curious thing is that, once I had the name of the file (trough scanning the boot), when I checked just the infected file on windows, Avast recognized the virus.

So far, I scanned my system with Avast several times (on boot an on windows) and with a pretty good anti-malware software and nothing else showed up.

Ah, of course I have all my backups up to date. DVD, Pen drive and HD.

Best regards

[Tarq57]

I would imagine that the answer to that is that the virus was able to hide itself, perhaps in the alternate data stream,while the OS was running, but when it hadn't yet loaded it was exposed. Avast detects it, there is no difference in the detection signatures for boot vs normal scan, so that makes sense.
Ain't we lucky Avast has a boot scan. 
Be interesting to know what other AV's can deal with this one, it looks fairly nasty.
If you don't mind my asking, what was the "fairly good anti malware scanner" that you used?

[wing.man.001]

Greetings, my friend!

I used the Malwarebytes Anti-Malware, pretty good one.

Ah, all the files infected came from a website, hxxp://www.koyotesoft.com

In matter of fact, three of them were infected. And I scanned all of them before installing.

Thank you for enlighting my questions.

King regards.