{
	"id": "e912ea13-e3a2-4755-95a0-1cab67cb557a",
	"created_at": "2026-04-06T00:21:52.355293Z",
	"updated_at": "2026-04-10T03:21:53.170733Z",
	"deleted_at": null,
	"sha1_hash": "9b64eb37cc939f285774886249b2467dcb55170e",
	"title": "Sality",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 206417,
	"plain_text": "Sality\r\nBy Contributors to Wikimedia projects\r\nPublished: 2012-01-13 · Archived: 2026-04-05 14:34:17 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nSality is the classification for a family of malicious software (malware) infecting Microsoft Windows system files.\r\nSality was first discovered in 2003 and has advanced into a dynamic, enduring, full-featured form of malicious\r\ncode. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay\r\nspam, proxy communications, exfiltrate sensitive data, compromise web servers, and/or coordinate distributed\r\ncomputing tasks to process intensive tasks (e.g., password cracking). Since 2010, certain variants of Sality have\r\nalso incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued\r\ndevelopment and capabilities, Sality is considered one of the most complex and formidable forms of malware to\r\ndate.\r\nThe majority of Antivirus (A/V) vendors use the following naming conventions when referring to this family of\r\nmalware:\r\nSality\r\nSalLoad\r\nKookoo\r\nSaliCode\r\nKukacka\r\nSality is a family of polymorphic file infectors, which target Windows executable files with the extensions .EXE\r\nor .SCR.\r\n[1]\r\n Sality utilizes polymorphic and entry-point obscuring (EPO) techniques to infect files using the\r\nfollowing methods: not changing the entry point address of the host, and replacing the original host code at the\r\nentry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has\r\nbeen inserted in the last section of the host file;[2][3] the stub decrypts and executes a secondary region, known as\r\nthe loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality\r\npayload.[2]\r\nSality may execute a malicious payload that deletes files with certain extensions and/or beginning with specific\r\nstrings, terminates security-related processes and services, searches a user's address book for e-mail addresses to\r\nsend spam messages,[4] and contacts a remote host. Sality may also download additional executable files to install\r\nother malware, and for the purpose of propagating pay per install applications. Sality may contain Trojan\r\ncomponents; some variants may have the ability to steal sensitive personal or financial data (i.e., information\r\nstealers),[5] generate and relay spam, relay traffic via HTTP proxies, infect websites, and achieve distributed\r\ncomputing tasks such as password cracking, as well as other capabilities.[2]\r\nhttps://en.wikipedia.org/wiki/Sality\r\nPage 1 of 6\n\nSality's downloader mechanism downloads and executes additional malware as listed in the URLs received using\r\nthe peer-to-peer component. The distributed malware may share the same “code signature” as the Sality payload,\r\nwhich may provide attribution to one group and/or indicate that they share a large portion of the code. The\r\nadditional malware typically communicates with and reports to central command and control (C\u0026C) servers\r\nlocated throughout the world. According to Symantec, the \"combination of file infection mechanism and the fully\r\ndecentralized peer-to-peer network [...] makes Sality one of the most effective and resilient malware in today's\r\nthreat landscape.\"[2]\r\nTwo versions of the botnet are currently active: versions 3 and 4. The malware circulated on those botnets is\r\ndigitally signed by the attackers to prevent a hostile takeover. In recent years, Sality has also included the use of\r\nrootkit techniques to maintain persistence on compromised systems and evade host-based detections, such as anti-virus software.[6]\r\nThe top countries affected by the botnet were India, Vietnam, and Morocco.[7]\r\nSality infects files in the affected computer. Most variants use a DLL that is dropped once on each computer. The\r\nDLL file is written to disk in two forms, for example:\r\n%SYSTEM%\\wmdrtc32.dll\r\n%SYSTEM%\\wmdrtc32.dl_\r\nThe DLL file contains the bulk of the virus code. The file with the extension \".dl_\" is the compressed copy. Recent\r\nvariants of Sality, such as Virus:Win32-Sality.AM, do not drop the DLL; instead, load it entirely in memory\r\nwithout writing it to disk. This variant, along with others, also drop a driver with a random file name in the folder\r\n%SYSTEM%\\drivers. Other malware may also drop Sality in the computer. For example, a Sality variant detected\r\nas Virus:Win32-Sality.AU is dropped by Worm:Win32-Sality.AU.[1] Some Sality variants may also include a\r\nrootkit by creating a device named Device\\amsint32 or \\DosDevices\\amsint32.[6]\r\nMethod of propagation\r\n[edit]\r\nSality usually targets all files in drive C: that have .SCR or .EXE file extensions, beginning with the root folder.\r\nInfected files increase in size by a varying amount.\r\nThe virus also targets applications that run at each Windows start and frequently used applications, referenced by\r\nthe following registry keys:\r\nHKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run[1]\r\nSality avoids infecting particular files in order to remain hidden in the computer:\r\nFiles protected by System File Checker (SFC)\r\nFiles under the %SystemRoot% folder\r\nhttps://en.wikipedia.org/wiki/Sality\r\nPage 2 of 6\n\nExecutables of several antivirus/firewall products ignore files that contain certain substrings\r\nRemovable drives and network shares\r\n[edit]\r\nSome Sality variants can infect legitimate files, which are then moved to available removable drives and network\r\nshares by enumerating all network share folders and resources of the local computer and all files in drive C:\r\n(beginning with the root folder). It infects the files it finds by adding a new code section to the host and inserting\r\nits malicious code into the newly added section. If a legitimate file exists, the malware will copy the file to the\r\nTemporary Files folder and then infect the file. The resulting infected file is then moved to the root of all available\r\nremovable drives and network shares as any of the following:\r\nrandom file name.pif\r\nrandom file name.exe\r\nrandom file name.cmd\r\nThe Sality variant also creates an \"autorun.inf\" file in the root of all these drives that points to the virus copy.\r\nWhen a drive is accessed from a computer supporting the AutoRun feature, the virus is then launched\r\nautomatically.\r\n[1]\r\n Some Sality variants may also drop a file with a .tmp file extension to the discovered network\r\nshares and resources as well as drop a .LNK file to run the dropped virus.[8]\r\nSality may inject code into running processes by installing a message hook[9]\r\nSality commonly searches for and attempts to delete files related to antivirus updates and terminate security\r\napplications, such as antivirus and personal firewall programs; attempts to terminate security applications\r\ncontaining the same strings as the files it avoids infecting; and may also terminate security-related services\r\nand block access to security-related websites that contain certain substrings[1][2][3][8][10][11][12][13][14][15]\r\n[16][17]\r\nSality variants may modify the computer registry to lower Windows security, disable the use of the\r\nWindows Registry Editor and/or prevent the viewing of files with hidden attributes; Some Sality variants\r\nrecursively delete all registry values and data under the registry subkeys for\r\nHKCU\\System\\CurrentControlSet\\Control\\SafeBoot and\r\nHKLM\\System\\CurrentControlSet\\Control\\SafeBoot to prevent the user from starting Windows in safe\r\nmode[1][4][8][10][11][18][19][20]\r\nSome Sality variants can steal sensitive information such as cached passwords and logged keystrokes,\r\nwhich were entered on the affected computer[1][13][15]\r\nSality variants usually attempt to download and execute other files including pay per install executables\r\nusing a preconfigured list of up to 1000 peers; the goal of the P2P network is to exchange lists of URLs to\r\nfeed to the downloader functionality; the files are downloaded into the Windows Temporary Files folder\r\nand decrypted using one of several hardcoded passwords[1][2][3][5][9][10][11][12][13][14][15][16][18][20][21]\r\nMost of Sality's payload is executed in the context of other processes, which makes cleaning difficult and\r\nallows the malware to bypass some firewalls; to avoid multiple injections in the same process, a system-https://en.wikipedia.org/wiki/Sality\r\nPage 3 of 6\n\nwide mutex called \u003cprocess name\u003e.exeM_\u003cprocess ID\u003e_ is created for every process in which code is\r\ninjected, which would prevent more than one instance from running in memory at the same time.[1]\r\nSome variants of Win32-Sality drop a driver with a random file name in the folder %SYSTEM%\\drivers to\r\nperform similar functions such as terminate security-related processes and block access to security-related\r\nwebsites, and may also disable any system service descriptor table (SSDT) hooks to prevent certain\r\nsecurity software from working properly[1][2][3][10][11][12][18][20][22][23]\r\nSome Sality variants spread by moving to available removable/remote drives and network shares[1][2][3][8]\r\n[9][11][12][20]\r\nSome Sality variants drop .LNK files, which automatically run the dropped virus[8]\r\nSome Sality variants may search a user's Outlook address book and Internet Explorer cached files for e-mail addresses to send spam messages, which then sends out spammed messages based on information it\r\nretrieves from a remote server[4]\r\nSality may add a section to the configuration file %SystemRoot%\\system.ini as an infection marker,\r\ncontact remote hosts to confirm Internet connectivity, report a new infection to its author, receive\r\nconfiguration or other data, download and execute arbitrary files (including updates or additional malware),\r\nreceive instruction from a remote attacker, and/or upload data taken from the affected computer; some\r\nSality Variants may open a remote connection, allowing a remote attacker to download and execute\r\narbitrary files on the infected computer[4][9][11][12][13][14][15][16][18][20][21]\r\nComputers infected with recent versions of Sality, such as Virus:Win32-Sality.AT, and Virus:Win32-\r\nSality.AU, connect to other infected computers by joining a peer-to-peer (P2P) network to receive URLs\r\npointing to additional malware components; the P2P protocol runs over UDP, all the messages exchanged\r\non the P2P network are encrypted, and the local UDP port number used to connect to the network is\r\ngenerated as a function of the computer name[1]\r\nSality may add a rootkit that includes a driver with capabilities such as terminating processes via\r\nNtTerminateProcess as well as blocking access to select anti-virus resources (e.g. anti-virus vendor web\r\nsites) by way of IP Filtering; the latter requires the driver to register a callback function, which will be used\r\nto determine if packets should be dropped or forwarded (e.g. drop packets if string contains the name of an\r\nanti-virus vendor from a comprised list)[6]\r\nMicrosoft has identified dozens of files which are all commonly associated with the malware.[1][4][8][9][10][11][12]\r\n[13][14][15][16][17][21][22][23][24][25][26][27]\r\n Sality uses stealth measures to maintain persistence on a system; thus,\r\nusers may need to boot to a trusted environment in order to remove it. Sality may also make configuration changes\r\nsuch as to the Windows Registry, which makes it difficult to download, install and/or update virus protection.\r\nAlso, since many variants of Sality attempt to propagate to available removable/remote drives and network shares,\r\nit is important to ensure the recovery process thoroughly detects and removes the malware from any and all\r\nknown/possible locations.\r\nComputer virus\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n \r\nl\r\n m Microsoft Malware Protection Center (2010-08-07). \"Win32-Sality\".\r\nMicrosoft. Archived from the original on 2013-09-17. Retrieved 2012-04-22.\r\nhttps://en.wikipedia.org/wiki/Sality\r\nPage 4 of 6\n\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n Nicolas Falliere (2011-08-03). \"Sality: Story of a Peer-to-Peer Viral Network\"\r\n(PDF). Symantec. Archived from the original (PDF) on September 24, 2015. Retrieved 2012-01-12.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Angela Thigpen and Eric Chien (2010-05-20). \"W32.Sality\". Symantec. Archived\r\nfrom the original on 2013-10-05. Retrieved 2012-04-22.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Microsoft Malware Protection Center (2009-05-29). \"Win32-Sality.A\". Microsoft.\r\nRetrieved 2012-04-22.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n FireEye, Inc (2012-02-14). \"FireEye Advanced Threat Report - 2H 2011\" (PDF).\r\nFireEye. Archived from the original (PDF) on 2012-05-22. Retrieved 2012-04-22.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Artem I. Baranov (2013-01-15). \"Sality Rootkit Analysis\". Archived from the original on\r\n2013-08-10. Retrieved 2013-01-19.\r\n7. ^ \"Kaspersky Threats — Sality\". threats.kaspersky.com.\r\n8. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n Microsoft Malware Protection Center (2010-07-30). \"Worm:Win32-Sality.AU\".\r\nMicrosoft. Archived from the original on 2013-09-27. Retrieved 2012-04-22.\r\n9. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Microsoft Malware Protection Center (2010-04-28). \"Virus:Win32-Sality.G.dll\".\r\nMicrosoft. Retrieved 2012-04-22.\r\n10. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Microsoft Malware Protection Center (2010-06-28). \"Virus:Win32-Sality.AH\".\r\nMicrosoft. Retrieved 2012-04-22.\r\n11. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n Microsoft Malware Protection Center (2010-08-27). \"Virus:Win32-\r\nSality.gen!AT\". Microsoft. Retrieved 2012-04-22.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n Microsoft Malware Protection Center (2010-10-21). \"Virus:Win32-Sality.gen!Q\".\r\nMicrosoft. Retrieved 2012-04-22.\r\n13. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Microsoft Malware Protection Center (2008-07-03). \"Virus:Win32-Sality.R\".\r\nMicrosoft. Archived from the original on 2014-04-04. Retrieved 2012-04-22.\r\n14. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Microsoft Malware Protection Center (2008-07-07). \"Virus:Win32-Sality.T\".\r\nMicrosoft. Archived from the original on 2014-04-04. Retrieved 2012-04-22.\r\n15. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Microsoft Malware Protection Center (2008-07-07). \"Virus:Win32-Sality.AN\".\r\nMicrosoft. Retrieved 2012-04-22.\r\n16. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Microsoft Malware Protection Center (2009-03-06). \"Virus:Win32-Sality.S\".\r\nMicrosoft. Retrieved 2012-04-22.\r\n17. ^ Jump up to: a\r\n \r\nb\r\n Microsoft Malware Protection Center (2008-07-08). \"Virus:Win32-Sality\". Microsoft.\r\nArchived from the original on 2012-01-01. Retrieved 2012-04-22.\r\n18. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Microsoft Malware Protection Center (2010-07-30). \"Virus:Win32-Sality.AU\".\r\nMicrosoft. Archived from the original on 2013-09-27. Retrieved 2012-04-22.\r\n19. ^ Microsoft Malware Protection Center (2010-07-30). \"TrojanDropper:Win32-Sality.AU\". Microsoft.\r\nRetrieved 2012-04-22.\r\n20. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Microsoft Malware Protection Center (2010-04-26). \"Virus:Win32-Sality.AT\".\r\nMicrosoft. Archived from the original on 2014-01-30. Retrieved 2012-04-22.\r\n21. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Microsoft Malware Protection Center (2007-11-16). \"Virus:Win32-Sality.M\". Microsoft.\r\nArchived from the original on 2014-04-05. Retrieved 2012-04-22.\r\nhttps://en.wikipedia.org/wiki/Sality\r\nPage 5 of 6\n\n22. ^ Jump up to: a\r\n \r\nb\r\n Microsoft Malware Protection Center (2010-08-10). \"Trojan:WinNT-Sality\". Microsoft.\r\nArchived from the original on 2013-12-05. Retrieved 2012-04-22.\r\n23. ^ Jump up to: a\r\n \r\nb\r\n Microsoft Malware Protection Center (2010-09-17). \"WinNT-Sality\". Microsoft. Retrieved\r\n2012-04-22.\r\n24. ^ Microsoft Malware Protection Center (2010-04-14). \"Virus:Win32-Sality.G\". Microsoft. Archived from\r\nthe original on 2014-04-05. Retrieved 2012-04-22.\r\n25. ^ Microsoft Malware Protection Center (2008-07-08). \"Virus:Win32-Sality.AM\". Microsoft. Archived from\r\nthe original on 2013-12-09. Retrieved 2012-04-22.\r\n26. ^ Microsoft Malware Protection Center (2009-06-17). \"Virus:Win32-Sality.gen!P\". Microsoft. Retrieved\r\n2012-04-22.\r\n27. ^ Microsoft Malware Protection Center (2009-09-02). \"Virus:Win32-Sality.gen\". Microsoft. Retrieved\r\n2012-04-22.\r\nSource: https://en.wikipedia.org/wiki/Sality\r\nhttps://en.wikipedia.org/wiki/Sality\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Sality"
	],
	"report_names": [
		"Sality"
	],
	"threat_actors": [],
	"ts_created_at": 1775434912,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b64eb37cc939f285774886249b2467dcb55170e.pdf",
		"text": "https://archive.orkl.eu/9b64eb37cc939f285774886249b2467dcb55170e.txt",
		"img": "https://archive.orkl.eu/9b64eb37cc939f285774886249b2467dcb55170e.jpg"
	}
}