Sality virus quickly destroy files exe / com / scr. Clearly
the capacity of the file that is infected Sality is bigger increases
about 68-80 KB sometimes still can be run as usual. Usually
the virus will block the antivirus or removal tools but it also will
prevent the task manager or the Windows registry editor. To
simplify the distribution process as well as using File Sharing and
Default Share this virus will also use Flash Disk media by making a
random file with the extension exe / com / scr / pif and add the file
autorun.inf
We will work hard to stop the Sality because he changed the registry:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
* DisableRegistryTools
* DisableTaskMgr
Infected file will reproduce itself and try to copy *. Etc. and inject file is active in memory and all files contained in the computer and the network (file sharing) then infects files *. Exe contained in the registry list and the virus can be activated automatically each time the computer starts.
* HKLMSoftwareMicrosoftWindowsCurrentVersionRun
* HKCUSoftwareMicrosoftWindowsCurrentVersionRun
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
Some files *. Etc which was first attacked by Sality virus this:
* C: Windowssystem32syslib32.dll
* C: Windowssystem32oledsp32.dll
* C: Windowssystem32olemdb32.dll
* C: Windowssystem32wcimgr32.dll
* C: Windowssystem32wmimgr32.dll
After creating a DLL file, sality will create a file *. Sys C: windowssystem32drivers [eg system32.sys
later preclude the performance of Antivirus and security software
Amazingly this virus may block anti virus is even gave that famous moment, he can also block some websites sepertuy provider of anti virus
List registry damaged / modified by a virus sality:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Setting "GlobalUserOffline" = "0"
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WMI_MFC_TPSHOKER_8
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem "EnableLUA" = "0"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesxxx
HKEY_CURRENT_USERSoftware [USER]
He will also change the Windows Firewall registry string by changing the value from 0 to 1:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
* AntiVirusDisableNotify
* AntiVirusOverride
* FirewallDisableNotify
* FirewallOverride
* UacDisableNotify
* UpdatesDisableNotify
and making key "SVC" and the following string with value 1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterSvc
* AntiVirusDisableNotify
* AntiVirusOverride
* FirewallDisableNotify
* FirewallOverride
* UacDisableNotify
* UpdatesDisableNotify
The virus is deleting registry HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesALG. ALG ie services that run the plug-in protocol applications and turn on network connectivity / protocol. If the service is disabled, programs like Yahoo Messenger can not function. This service can only be executed, if you use a firewall, as good as the Windows firewall or another firewall of the antivirus. Computers infected with this virus will experience a serious security loophole.
Safe mode
we can not boot mode "safe mode" due to the abolition of registry:
* HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSafeBoot
* HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
* HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Doing infections exe file / com / scr
The air file extension. "Exe" contained in the list of the registry causing virus can be activated automatically each time the computer starts.
* HKLMSoftwareMicrosoftWindowsCurrentVersionRun
* HKCUSoftwareMicrosoftWindowsCurrentVersionRun
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
How do I remove it?
Formerly it was very scary virus, will tetgapi are now widely discussed ways to overcome these sality virus, you can easily look it up on google, tips and tricks to overcome this virus. But prevention is better, always enable antirus on your computer and update it periodically.
We will work hard to stop the Sality because he changed the registry:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
* DisableRegistryTools
* DisableTaskMgr
Infected file will reproduce itself and try to copy *. Etc. and inject file is active in memory and all files contained in the computer and the network (file sharing) then infects files *. Exe contained in the registry list and the virus can be activated automatically each time the computer starts.
* HKLMSoftwareMicrosoftWindowsCurrentVersionRun
* HKCUSoftwareMicrosoftWindowsCurrentVersionRun
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
Some files *. Etc which was first attacked by Sality virus this:
* C: Windowssystem32syslib32.dll
* C: Windowssystem32oledsp32.dll
* C: Windowssystem32olemdb32.dll
* C: Windowssystem32wcimgr32.dll
* C: Windowssystem32wmimgr32.dll
After creating a DLL file, sality will create a file *. Sys C: windowssystem32drivers [eg system32.sys
later preclude the performance of Antivirus and security software
Amazingly this virus may block anti virus is even gave that famous moment, he can also block some websites sepertuy provider of anti virus
List registry damaged / modified by a virus sality:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Setting "GlobalUserOffline" = "0"
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WMI_MFC_TPSHOKER_8
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem "EnableLUA" = "0"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesxxx
HKEY_CURRENT_USERSoftware [USER]
He will also change the Windows Firewall registry string by changing the value from 0 to 1:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
* AntiVirusDisableNotify
* AntiVirusOverride
* FirewallDisableNotify
* FirewallOverride
* UacDisableNotify
* UpdatesDisableNotify
and making key "SVC" and the following string with value 1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterSvc
* AntiVirusDisableNotify
* AntiVirusOverride
* FirewallDisableNotify
* FirewallOverride
* UacDisableNotify
* UpdatesDisableNotify
The virus is deleting registry HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesALG. ALG ie services that run the plug-in protocol applications and turn on network connectivity / protocol. If the service is disabled, programs like Yahoo Messenger can not function. This service can only be executed, if you use a firewall, as good as the Windows firewall or another firewall of the antivirus. Computers infected with this virus will experience a serious security loophole.
Safe mode
we can not boot mode "safe mode" due to the abolition of registry:
* HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSafeBoot
* HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
* HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Doing infections exe file / com / scr
The air file extension. "Exe" contained in the list of the registry causing virus can be activated automatically each time the computer starts.
* HKLMSoftwareMicrosoftWindowsCurrentVersionRun
* HKCUSoftwareMicrosoftWindowsCurrentVersionRun
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
How do I remove it?
Formerly it was very scary virus, will tetgapi are now widely discussed ways to overcome these sality virus, you can easily look it up on google, tips and tricks to overcome this virus. But prevention is better, always enable antirus on your computer and update it periodically.
