Author Topic: A new version of Sality  (Read 4329 times)

0 Members and 1 Guest are viewing this topic.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
A new version of Sality
« on: October 23, 2010, 08:27:45 PM »
was reading an article about new version of sality,the part that "blew my mind" when i saw that the new sality adds the driver to the registry branch System\CurrentControlSet\Control\SafeBoot that allows the driver to boot in safe mode.Safe mode won't work..i mean it's completely useless to try to remove the virus in safe mode(correct me if i am wrong)
also:
Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.





AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: A new version of Sality
« Reply #1 on: October 23, 2010, 09:28:23 PM »
First thanks for this helpful info,second can you post the original topic from where since the jpg picture is in a bad quality and i cant see any charcter so a better image will be better.
And the other sality"i think"disable safe boot this new one is a bad boy ;)
But i think every bad step will make a good steps so dont worry it just complicate.
Dreams don't die, they just fall asleep.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

YoKenny

  • Guest

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: A new version of Sality
« Reply #4 on: October 24, 2010, 04:11:30 AM »
Makes me wonder if Win32:FileInfector [Heur] behavior detection can catch these...
Visit my webpage Angry Sheep Blog

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86668
  • No support PMs thanks
Re: A new version of Sality
« Reply #6 on: October 24, 2010, 05:06:53 PM »
http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large
Posted March 31, 11:29  GMT ;)


eventhough it's the latest version..

Even so, it can hardly be called new when it dates back to march 2010, I strongly doubt that given its age it is the latest/new variant of Sality as it is likely to be constantly modified to try and combat AV developments. They are hardly likely to have left it dormant for over 7 months.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: A new version of Sality
« Reply #7 on: October 24, 2010, 06:13:09 PM »
well ok it's not new,it's a little "updated" ;D
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: A new version of Sality
« Reply #8 on: October 24, 2010, 11:03:11 PM »
Makes me wonder if Win32:FileInfector [Heur] behavior detection can catch these...

FileInfector [Heur] detect quite a few sality samples.. based on the observation that there are not many undetected samples i believe aleso the new variant is detected...