*** Welcome to piglix ***

Sality


Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

The majority of Antivirus (A/V) vendors use the following naming conventions when referring to this family of malware (the * at the end of the names is a wildcard for all the possible classifications and/or distinctions for this malware family):

Sality is a family of polymorphic file infectors, which target Windows executable files with the extensions .EXE or .SCR. Sality utilizes polymorphic and entry-point obscuring (EPO) techniques to infect files using the following methods: not changing the entry point address of the host, and replacing the original host code at the entry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file; the stub decrypts and executes a secondary region, known as the loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality payload.

Sality may execute a malicious payload that deletes files with certain extensions and/or beginning with specific strings, terminates security-related processes and services, searches a user’s address book for e-mail addresses to send spam messages, and contacts a remote host. Sality may also download additional executable files to install other malware, and for the purpose of propagating pay per install applications. Sality may contain Trojan components; some variants may have the ability to steal sensitive personal or financial data (i.e. information stealers), generate and relay spam, relay traffic via HTTP proxies, infect web sites, achieve distributed computing tasks such as password cracking, as well as other capabilities.


...
Wikipedia

...