W32.Sality.AE

21 April 2008 Trojan 15 Comments

W32.Sality.AE is a Trojan that modifies Windows registry to add an entry so that it can bypass installed firewall programs. Another payload of the virus is to download and execute additional threats from a remote server. W32.Sality.AE will spread on computers by infecting executable files on local and remote drives. It is so harmful that it can delete files that belong to security programs.

Alias: TROJ_AGENT.XOO, W32/Sality.ae, Sality.AG, Win32/Sality.Z, W32/Sality.AA

Damage Level: Medium

Systems Affected: Windows 2000/Server, Windows NT, Windows XP, Windows Vista

Characteristics
If W32.Sality.AE is active on the computer, it may drop several files and create various registry entries. Then, the Trojan will create an auto-loading function by registering itself as a Windows service using the following data:
Service Name: WMI_MFC_TPSHOKER_80
Display Name: WMI_MFC_TPSHOKER_80
Startup Type: Automatic
To avoid conflicts with security applications, W32.Sality.AE will stop services that are related to security programs like anti-virus and firewall. To put an end to this software, all files that are process on the said services will be deleted. Moreover, access to various security web sites is blocked by the Trojan to prevent essential updates.

The Trojan also search and infects executable listed under the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Distribution
W32.Sality.AE may spread through the Internet in various means. Typically, it infects a computer and gathers email address from the address book of victim. It is configured to mass-mail itself to these contacts with the Trojan attached. On a local settings, W32.Sality.AE will attach a copy of itself to removable devices using executable files like .EXE, .CMD, and .PIF. It also includes an autorun.inf file to initiate the Trojan each time the drive is accessed.

Added Registry Entries:

HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" 
= "[INFECTED FILE]:*:Enabled:ipsec"

Associated Files and Folders:

%System%\drivers\[RANDOM NAME].sys
%DriveLetter%:\[RANDOM NAME].exe
%DriveLetter%:\[RANDOM NAME].cmd
%DriveLetter%:\[RANDOM NAME].pif
%DriveLetter%:\autorun.inf

File Location for Windows Versions:
%System% for all versions of Windows it is located under C:\Windows\System32

How to Remove W32.Sality.AE

Restore Windows Components

During an infection, W32.Sality.AE drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.

Manual Removal Procedure

1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.

2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.

3. Run a full system scan and clean/delete all infected files related to Backdoor.Cycbot.

4. Delete or modify any values added by Backdoor.Cycbot to the registry if present. Please see the reference.
- To edit the registry, click on Start > Run and type regedit.exe in the field.
- Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.

5. Exit registry editor when done. You may now restart the computer.

Removal Tool

A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses and Trojans.

What to do next...

15 Comments

Amir
Aug 05, 2008 @ 14:29:15
I have having lot of problems because of this virus does anyone have a solutions for this? Please let me know.
Gempar
Sep 24, 2008 @ 13:37:43
You can use Norman Malware Cleaner to remove this virus.
huy
Oct 03, 2008 @ 04:11:18
Please send me removal tools about:
W32.Sality.AE
W32.Virut.R
W32.Almanahe.B!inf
Adware.ZangoSearch
Trojan.Packed.NsAnti
amit
Dec 09, 2008 @ 10:54:45
Tools to remove W32.Sality.AE virus
Gangadhar
Jan 15, 2009 @ 12:34:39
Hi, please send me w32.sality.ae and w32.sality.DFC virus removal tools.
Warm regards,
Gangadhar
Rajni Godhasara
Feb 01, 2009 @ 05:57:57
plesea send me removal tools about
W32.Sality.AE
W32.Virut.R
W32.Almanahe.B!inf
Adware.ZangoSearch
Trojan.Packed.NsAnti
w32 SAlity.t
abd other sality tools
w32.douwndup
thanX
Junagadh
precisesecurity
Feb 04, 2009 @ 00:40:25
1. Download removal tool from this page and save it on your Desktop.
2. After downloading, double-click on to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
SareH
Jun 21, 2009 @ 18:30:04
I have changed my windows about 5 times because of this virus. I think it has saved a copy in my system files so every time I changed the windows the virus remains and after 2, 3 months the speed of operating gets very low and can’t even listen music with it. Is anyone knows how to remove it from system files?
I do disable the restore system before changing the windows, but it won’t get of my laptop.
raman
Aug 01, 2009 @ 08:43:17
Required removal tool.
kunal
Oct 29, 2009 @ 10:50:40
Required removal tool
w32.sality.ae
KAVERI KAPUR
Dec 15, 2009 @ 08:31:06
i want clean scan and remove
viji.asv
Dec 30, 2009 @ 06:17:41
Need to removal tool for W32.silly.FDC
poojitha
May 30, 2010 @ 17:32:37
sorry for im saying like this. really i dont kw about this virus. no one file is correctly opened in my laptop. atleast yahoo messenger also not opened. please help me. tel me any solution. please giv me reply just now here only. i wil chech it . pleaseeeeeeeeeeee help me friends
Sanjeev
Jul 27, 2010 @ 06:43:31
Hi
1. I just want to know if there is a stinger exists for this virus.
2. Which is the most effective AV for this.
3. How to Re-enable ‘regedit’ command (which this virus has disabled). I’ve already tried symatec’s ‘Unhook.inf’).
PLS HELP.
Sakthi
Sep 10, 2010 @ 13:30:47
I have removed the virus ,but i cant resolve the settings done by that. my anti virus is not working .please help me to resolve the settings.