{
	"id": "58b82869-c7ad-4f8a-8db2-1df10ca8cd26",
	"created_at": "2026-04-06T00:06:42.682525Z",
	"updated_at": "2026-04-10T03:21:39.698379Z",
	"deleted_at": null,
	"sha1_hash": "00bdb6b2dc6baa0e03f7e2732732cce0172a1f00",
	"title": "Sality (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29281,
	"plain_text": "Sality (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 20:00:20 UTC\r\nF-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the\r\nmalware has been developed and improved with the addition of new features, such as rootkit or backdoor\r\nfunctionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.\r\nModern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an\r\nattacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be\r\nused by its controller(s) to perform other malicious actions, such as attacking routers.\r\nInfection\r\nSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality\r\nvirus simply added its own malicious code to the end of the infected (or host) file, a technique known as\r\nprepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make\r\nanalysis more difficult.\r\nEarlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration\r\n(EPO) technique to hide their presence on the system. This technique means that the virus inserts a command\r\nsomewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and\r\ncomes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This\r\ntechnique was used to make discovery and disinfection of the malicious code harder.\r\nPayload\r\nOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific\r\nactions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate\r\nprocesses, particularly those related to security programs. The virus may also attempt to open connections to\r\nremote sites, download and run additional malicious files, and steal data from the infected machine.\r\n[TLP:WHITE] win_sality_auto (20251219 | Detects win.sality.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.sality\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sality\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.sality"
	],
	"report_names": [
		"win.sality"
	],
	"threat_actors": [],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00bdb6b2dc6baa0e03f7e2732732cce0172a1f00.pdf",
		"text": "https://archive.orkl.eu/00bdb6b2dc6baa0e03f7e2732732cce0172a1f00.txt",
		"img": "https://archive.orkl.eu/00bdb6b2dc6baa0e03f7e2732732cce0172a1f00.jpg"
	}
}