Monday, October 10, 2011

Sality Removal Tool

This post explains about these virus, its variants and types: Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh

What Sality does ?
It infects most of the running processes, denies access to any antivirus website, also would render programs unusable if there is no antivirus. It is actually a script that sits somewhere on the Computer, and keeps infecting the running programs. The antivirus ( if installed ) might get hold of the infected program, but not the actual script, which is why as the antivirus disinfects the program, it gets infected again and this process keeps going. Since the antivirus disinfects the programs, no work actually stops ( atleast in my case ), but the infection is still there.

Ways of infection ?
A few probable ways of infection would be inserting an infected removable drive/ usb, opening an infected email/ attachment and accessing an infected website.

Removal 
Yes, this is the reason your on this page actually :) So lets get to it !!
It would be best to write in chronology what i did.
First i tried updating and running my installed antivirus ( ESET ), it would disinfect the virus affected programs, but not the script, because of which thankfully everything was always working ( infection was on the server ). Then i ran a sality removal i downloaded from a website, that didnt solve the problem.
It mentions a lot of steps about updating and all, since i had already invested 3 hours solving the problem, i directly ran the salitykiller.exe. First it ended all the infected running proceses like logmein, dyndns and others. Then it started to find the script, within half an hour it had found and deleted or as it says killed sality, most of which was found in tmp. Immediately after it was found, the popup that i was constantly getting on ESET saying disinfection of a particular exe, was now gone. I restarted the server and found that i could go on antivirus websites, then i updated ESET again and ran a deep scan, it would find some more residual infected files and cleaned/quarantined it.

Preventive measures
Turn off the autorun of CDs, Removable drives, specially on servers. Also be careful opening email attachments, infact donot use the server for accessing emails or browsing. Keep your server and antivirus updated.

P.S:
One of the most important thing is to be patient, as virus removal can take a lot of time, eventually you will definately find it, Just keep looking :) Best of Luck