It would be impossible to detect with an .exe virus Sality? Virus file infector.

[kifirefox]

In avg rescue cd step when it can delete some .dll .exe infector the win32 hero in avast it can detect some .EXE programs with win32 Sality.
But this does not delete all infected .exe or .dll that infects .exe again another with Sality. must have some .dll or .exe hidden that reloads and infects .exe other again.

The question is, how to tell if an .exe is or is not infected by the virus Sality win32 or win32 hero? You can tell if the antivirus?
For example, the windows may be infected and the antivirus can not detect it have any .dll, .exe, on windows. But in another hd or folder only .exe files, can you know if you are infected or not by the antivirus?

 

They say infector file is a virus that is hidden within a .scr .exe file. it is impossible to detect.
but you can go testing to see if the file is with virus. perhaps in a virtual machine with Windows, and see if the windows caught virus or not the file within hd or running all .exe files and see if the windows were infected or not after running all the .exe files. (It is a very primitive way to test the files, but gives 100% sure. It's just test all the files and the PC continue without virus for a week so it's why those files were clean).

I've seen my avast detects an .exe with win32 Sality, and my rescue avg detect a .dll with win32 hero, yet the windows still infected with the virus file infector.
And the files in another hd? I .exe files on another hd, how do you know if the .exe files are either not infected by the virus win32 Sality?

[Daedroth]

I don't know if English is or isn't your first language, but this post doesn't make much sense, so I will try and answer it as best as I can.

 

As far as I am aware, by default, when you perform a 'Full Scan' on a computer, it will scan all files in the selected targets. So if you tell it to scan the 'Whole PC', it will scan all drives connected to it, and all files/folders within those drives. With that in mind, if there is an infection on a machine, it doesn't matter what file format the virus is in as the 'Full Scan' will scan all files regardless of the file type.

 

If you wanted to be doubly sure, I would use multiple good anti-viruses and perform a full scan using these. If they don't pick anything up, then chances are you aren't infected.

 

 

[kifirefox]

2 hours ago, Daedroth said:

I don't know if English is or isn't your first language, but this post doesn't make much sense, so I will try and answer it as best as I can.

 

As far as I am aware, by default, when you perform a 'Full Scan' on a computer, it will scan all files in the selected targets. So if you tell it to scan the 'Whole PC', it will scan all drives connected to it, and all files/folders within those drives. With that in mind, if there is an infection on a machine, it doesn't matter what file format the virus is in as the 'Full Scan' will scan all files regardless of the file type.

 

If you wanted to be doubly sure, I would use multiple good anti-viruses and perform a full scan using these. If they don't pick anything up, then chances are you aren't infected.

 

 

you know about the danger of this virus?
the only way to delete win32 Sality is delete all .scr .exe format HD and the infected windows.

people only know how to format and delete things. I wanted to know how to detect a virus which is hidden inside a file or the antivirus can detect.

but you know that hd is with virus just by coming back to show that is with virus infection alert antivirus and antivirus rescue avg.

[TheReaperMan]

you can use the following to remove it as far as I know.

 

http://www.majorgeeks.com/mg/getmirror/kaspersky_salitykiller,2.html

 

 

 

[kifirefox]

to date there is no way to remove the virus win32 Sality, KUKACKA, heri, etc.
these programs only have an effect of lowering the infection, but only even deleting all .scr .exe and formatting the windows to be 100% virus removal.

[adrynalyne]

18 minutes ago, kifirefox said:

to date there is no way to remove the virus win32 Sality, KUKACKA, heri, etc.
these programs only have an effect of lowering the infection, but only even deleting all .scr .exe and formatting the windows to be 100% virus removal.

Google seems to disagree with you, on a large scale.

[sc302 Veteran]

by default, all antiviruses do scan within files, esp dll's.  this is why it takes many hours to scan your system with a good antivirus software.  There are some that just look at the checksums and other features of the files to help determine if they are good or not, which run much faster (completes in minutes, usually within 30 minutes, may times under 15 minutes), these do not go as deep. 

 

The antiviruses can and will inoculate, quarantine, or delete the files that are infected.  Most current antivirus's will find the current and older variants and nullify the payload, but even they can miss the latest.  It is good practice that once infected to wipe and reinstall the os simply because as an end user or someone who cannot monitor the infection properly will not know of the tools to be able to monitor to see if it was truly cleaned.   This involves system and network monitoring.  If you do not have the time to or know how, it is simply much faster and safer to completely wipe and reinstall than it is to monitor for weeks and not really know what you are looking at....you may falsely accuse files of doing things that they are supposed to be doing or not pay attention to files that are communicating at random times.  Most malware is designed to hide itself, so it will hide itself as other processes, it will only communicate in small bursts, and it will be almost impossible to find once you identify communications.  It really isn't for the novice or hobbyist to attempt.

 

 

[Dick Montage]

35 minutes ago, kifirefox said:

to date there is no way to remove the virus win32 Sality, KUKACKA, heri, etc.
these programs only have an effect of lowering the infection, but only even deleting all .scr .exe and formatting the windows to be 100% virus removal.

I'm not entirely sure I agree with what you think you are trying to say...

[kifirefox]

14 minutes ago, Nik Louch said:

I'm not entirely sure I agree with what you think you are trying to say...

 

31 minutes ago, adrynalyne said:

Google seems to disagree with you, on a large scale.

I can say that there is no 100% way to remove this virus with the program. only formatting and deleting.

most cases of infection that have seen, most people recommend deleting all .scr .exe (or to other file formats like .autorun).

I've never seen anyone succeed case with this virus, but only loss. Any topic that someone has success with this kind of virus?

 

 

16 minutes ago, sc302 said:

by default, all antiviruses do scan within files, esp dll's.  this is why it takes many hours to scan your system with a good antivirus software.  There are some that just look at the checksums and other features of the files to help determine if they are good or not, which run much faster (completes in minutes, usually within 30 minutes, may times under 15 minutes), these do not go as deep. 

 

The antiviruses can and will inoculate, quarantine, or delete the files that are infected.  Most current antivirus's will find the current and older variants and nullify the payload, but even they can miss the latest.  It is good practice that once infected to wipe and reinstall the os simply because as an end user or someone who cannot monitor the infection properly will not know of the tools to be able to monitor to see if it was truly cleaned.   This involves system and network monitoring.  If you do not have the time to or know how, it is simply much faster and safer to completely wipe and reinstall than it is to monitor for weeks and not really know what you are looking at....you may falsely accuse files of doing things that they are supposed to be doing or not pay attention to files that are communicating at random times.  Most malware is designed to hide itself, so it will hide itself as other processes, it will only communicate in small bursts, and it will be almost impossible to find once you identify communications.  It really isn't for the novice or hobbyist to attempt.

 

Being that salty overwrites some of the code of the file, there is no way to clean the file without re installation of the infected.  sfc/scannow will attempt to replace os files, however if there are other files that are infected that are not part of the sfc/scannow files that will get fixed, there is no way to fix them without complete removal and reinstallation of the files.  Most antiviruses should be able to determine what is infected and possibly remove the code within the file.

I'm not interested in recovering the operating system but recover infected .exe files.
say that even if an antivirus to detect and disinfect the files never again the same can of future failure or is completely corrupted and unreadable.

 

[Dick Montage]

You know more than Kapersky?

[+BudMan MVC]

"I'm not interested in recovering the operating system but recover infected .exe files."

 

If some virus overwrites code in an exe, then there is only 2 ways to get back your original exe, that would be reinstall it from the original source, or restore it from backup.  I am having a very hard time understanding your posts to be honest.

 

There is a big difference between removal of a virus and restoration of original data from damage a virus might inflict on files.

 

Its one thing if a virus adds some code to a exe, that could could be cleaned/removed from the exe and this might be 100% original of the exe before the "infection"  But if some of the code was overwritten/replaced with virus code then no removal of the virus is not going to get you back to 100% original of that exe.  You will need to restore the exe from clean source or backup.

[sc302 Veteran]

I can't stress enough how important backups and images are of machines...especially one off machines.  You should create backups and images fairly often to be able to recover. 

 

I won't say that it is a lost cause, but attempting to self clean without backups...well, you will fail due to the complexity of it.   Even antivirus manufactures aren't 100% at disinfecting an infected system, and if you know more than them you will be a billionaire.  The issue is that there is too much, this is why things like UAC have come into existence which try to protect the files requiring user interaction to be able to modify protected files in protected areas of the system..but even that isn't 100%, even more so when people disable it or attempt to disable it.  It isn't like you are asking to unscrew a panel, you are asking to essentially break down genetic code to take out a virus...going through possibly billions of lines of coding.  An exe or dll can be recreated or restored easily provided you have the media to be able to do it. 

 

Could it be possible that you have downloaded software via p2p/torrents and in the install is a virus that you can't figure out how to remove and whatever av you have is either deleting the file or quarantining it?

[+BudMan MVC]

"I can't stress enough how important backups and images are of machines"

 

QFT!!  The current rash of some new ransomware every other day just stresses this even more.  So virus says hey I can not get to system files your just a user with no permissions, and too much work to try exploit to gain system access, etc. etc..  But hey I can sure encrypt your files since you ran me!!  So all those pictures you like lets encrypt them with AES 256, give me $$ and you might get them back..  Or maybe I just freaking wrote garbage too them and tell you give me $$ so you can decrypt them when in fact they are just gone.

 

If your not backing up your stuff, your just plain stupid point blank!  OSes can be reinstalled, that copy of office can be reinstalled - the game can be reinstalled.  You might want to backup the files you create with office, and you prob want to make sure you have a copy of the saved file of the 3000 hours you have put into game xyz, etc..

 

Sure take an image of the whole thing, now if you get hit with something you just restore to back to how it was before the problem.  So having a few images going back whatever you feel comfortable with, last week, 2 weeks ago, 1 month, 6 months, etc..  Your actual FILES like trip to paris pics, or kids 1st bday video, that game that you spend every waking hour playing to reach new levels..  Those should be backed up and archived, and DR copy somewhere completely offsite/offline... So if some bad code runs through your network its not just touching all your backups as well, etc..  Having a copy of your pic's on your D drive or your NAS that you have real time access to is NOT a backup!!!  Syncing your files to the internet as they change is NOT a backup!!!

 

That copy on your NAS of your files that are sitting on your main PC as well protects you from your disk in your main PC crashing.  But it doesn't protect you from some ransomware running through every file it can find on your system or network connected stuff, etc.  Doesn't protect you from a fire taking out your house, or a flood, etc.  And while your pictures sitting in dropbox might be safe if your house caught fire and everything gone.  But its not going to be a valid backup if something is running through all the files it has access to and encrypting them.  Now guess what that encrypted copy gets synced up to your dropbox.  Now you might be able to get it back from previous version, etc.  How long do they keep them?  How long before you notice your library of old pictures was damaged and synced up to the cloud??

 

[kifirefox]

12 minutes ago, Nik Louch said:

You know more than Kapersky?

some types of virus has variations that the program does not think, or updates that the program does not recognize.
programs like antivirus is a tool for a challenge, not an image editor.
ie you can use an antivirus, but do not want it will be able to detect the virus.

many antivirus are too weak, and often the virus is updated and re-released again when hackers see that are picking up a few people.


I think you are too naive, virus challenges antivirus and antivirus challenges the virus. already take an image file and edit in an image editor, it is something else.
a virus and antivirus programs are challenging to one another. why antivirus are constantly updated every year.
have an image editor last year, can continue to be a good image editor, even though outdated.

 

[+BudMan MVC]

Huh??  Who said anything about image editors?  Virus scanners are never ever ever going to be able to find all viruses, its a uphill battle for sure.  I don't think anyone said anything different.

 

Only way to make sure your files have not been infected would be to run something like tripwire with hash of every single file on your system.

 

Dat files from antivirus updated every single day on all the major players, and then they have beta or emergency dat files that get updated like every few hours, etc. That you can download if you want.

 

Does not matter how the antivirus detects be it via signature, Heuristics, some other method.  Detection is way different than "cleaning"  So lets say you get infected with xyz, and your antivirus misses it.  Then they come out with new dat later that after new and detect it.  While they can prevent that exe from running further, and even remove bad code "clean" if the virus overwrote code that previous code can not be restored by the antivirus.. How would it possibly be able to do that??

 

So is your point that antivirus is not perfect - nobody would disagree with you!!!  Can antivirus restore exe to 100%  original code if it has been overwritten, NO!!  What exactly is ? or point your trying to make or debate here?  Shoot there are some conspiracy theories that the antivirus write viruses to stop and protect or work with the gov agencies on how something would not be detected, etc..

 

I think you might have a better time with your discussion on a native language board to be honest.. Something seems to be getting lost in translation...

[Dick Montage]

2 hours ago, kifirefox said:

I think you are too naive

If you say so...

[kifirefox]

1 hour ago, BudMan said:

Huh??  Who said anything about image editors?  Virus scanners are never ever ever going to be able to find all viruses, its a uphill battle for sure.  I don't think anyone said anything different.

 

Only way to make sure your files have not been infected would be to run something like tripwire with hash of every single file on your system.

 

Dat files from antivirus updated every single day on all the major players, and then they have beta or emergency dat files that get updated like every few hours, etc. That you can download if you want.

 

Does not matter how the antivirus detects be it via signature, Heuristics, some other method.  Detection is way different than "cleaning"  So lets say you get infected with xyz, and your antivirus misses it.  Then they come out with new dat later that after new and detect it.  While they can prevent that exe from running further, and even remove bad code "clean" if the virus overwrote code that previous code can not be restored by the antivirus.. How would it possibly be able to do that??

 

So is your point that antivirus is not perfect - nobody would disagree with you!!!  Can antivirus restore exe to 100%  original code if it has been overwritten, NO!!  What exactly is ? or point your trying to make or debate here?  Shoot there are some conspiracy theories that the antivirus write viruses to stop and protect or work with the gov agencies on how something would not be detected, etc..

 

I think you might have a better time with your discussion on a native language board to be honest.. Something seems to be getting lost in translation...

despite the errors and translation shifts, I'm understanding you.

My question was more a comment, I was impressed after I did some tests with the win32 heri (variation of Sality).
I never thought I'd virus that the antivirus can not detect. Or, the virus may be updated or made a change and can not detect with antivirus before.

then that's it. Virus file infector are often invisible. And others that can detect, take a .exe, .dll one, a temporary file, but the infection is still in the windows. For yet have any .exe infected in windows, and also files in memory, registry, etc, in windows.

[+BudMan MVC]

"I never thought I'd virus that the antivirus can not detect. Or, the virus may be updated or made a change and can not detect with antivirus before."

 

How is that news to you?  That has been the way its been since there have been viruses.  There has never been a time in the history of viruses that antivirus could catch every possible virus, etc.

 

To be honest a big problem with antivirus is the false sense of security they can give a user, oh if it was bad my antivirus would warn me so I can just go clicking on anything I want, etc..  The first line of defense against bad code is always going to be the user, the problem is they are normally the problem   What I am the 1 millionth vistor and I won a car - click, click, click - shoot this mouse doesn't click fast enough..  Oh random email you tried to send me money, but I am not accepting it please open up this word doc to verify - click click click!!!

 

Oh isn't it nice my boss loves me - clickity clickity click click!! ROFL!!!

 

Or the other thing.. But I installed antivirus last year.. Cost me $$$ was best of the best said website X, etc..  So how do I have a virus??  Well for starters your antivirus hasn't updated its dats since you installed it

[goretsky Supervisor]

Hello,

 

Win32/Sality is actually one of the longer-running malware families.  It has been around since at least around 2003, so at this point, it's thirteen years old and has thousands of variants, if not more.

 

Sality propagates through multiple mechanisms.  It uses worm-like mechanisms to spread across networks, virus-like mechanisms to attach itself to executable files, and so forth.  It also acts as a bot in a botnet, using a peer-to-peer protocol for its C2 comms.  One of the last thing I recall it doing is changing the DNS server settings on routers so that it could keep reinfecting hosts on the router's network if they got cleaned up.

 

Anyways, getting back to the virus part, one of the interesting things about Sality is that yes, it's an actual bona-fide computer virus, which is to say that it is a recursively self-replicating computer program that makes a (possibly evolved) copy of itself.  At least, that's the definition of computer virus that you're going to find most (if not all) malware researchers agree on.  However, one thing about Sality's viral mechanism is that its parasitism of its host executable files is not always successful and done correctly:  Instead of prepending or appending its code to a host executable file, sometimes it just overwrites the beginning of the host executable file.  When that occurs, disinfection is not possible, because the actual program instructions composing that particular executable file are no longer on the disk; they've been overwritten by the virus.

 

While it should be possible to remove all infected files from the system, whether by disinfecting the ones which can be disinfected correctly and deleting the rest of the overwritten ones, this will take a significant amount of time and effort, and doesn't account for any subsequent damage done by Sality.  Actually, that brings up another point.  Sality essentially operates as one of those "malware as a service" (or "crimeware as a service" or whatever you like) botnets.  The operators of Sality use infected computers for ad fraud, sending spam, DDoS, VoIP account theft, credential theft and so on.  So, you have to deal with the aftermath of that on the computer and its network as well.

 

As sc302 and BudMan noted, you're really going to be better off copying whatever data files you need from the computer, wiping its drive(s), then reinstalling your OS and apps from clean, known-good sources, because in addition to the malware itself, you're going to have to deal with any settings it might have modified in the operating system, which may be more time-consuming to mitigate.  Unless you are able to identify what every infected file did in terms of changes made to the operating system while under the control of the Sality botnet, the system will never be safe to use for things like logging into web sites which require a password.

 

Best of luck getting the system wiped and reloaded.  I hope you'll come back and tell us how things went with that when you're finished and have the system in a state of assured trust.

 

Regards,

 

Aryeh Goretsky