We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Virus:Win32/Sality.gen!Q
Aliases: Worm:Win32/Sality.AU (other) Win32/Cogduni.worm.61440 (AhnLab) W32/Virut.AI!Generic (Command) W32/Sality.AG (Avira) Win32.Worm.VB.NWZ (BitDefender) Win32/Sality.AA (CA) Win32.Sector.21 (Dr.Web) Win32/Sality.NBF (ESET) IM-Worm.Win32.VB (Ikarus) W32/Sality.gen.e (McAfee) W32/Sality.BD (Norman) W32/Sality.AA (Panda) Worm.Cogduni.a (Rising AV) Mal/Sality-D (Sophos) Virus.Win32.Sality.at (Sunbelt Software) Win32.Sality.BK (VirusBuster)
Summary
Recovering from recurring infections on a network
- Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
- Ensure that all available network shares are scanned with an up-to-date antivirus product.
- Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
- Remove any unnecessary network shares or mapped drives.
Removing a program exception
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select "ipsec"from the list of allowed programs and features. Click Remove.
6) Click OK.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select "ipsec"from the list of allowed programs and features. Click Delete.
5) Click OK.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click "ipsec"and then click Delete.
5) Click OK.
Enabling registry editor
- Run a command prompt. Click Start>Run and type cmd.
- In the command prompt, type the following as is and press Enter:
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f - Type exit at the command prompt.
Additional remediation instructions for Virus:Win32/Sality.gen!Q:
- Restoring your System Registry:
- For Windows 7: http://windows.microsoft.com/en-us/windows7/Back-up-the-registry
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Back-up-the-registry
- For Windows XP: http://support.microsoft.com/kb/322756/
- Resetting System Security Settings to default:
- For Windows XP and Vista: http://support.microsoft.com/kb/313222
- Viewing hidden and/or system files:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Show-hidden-files
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Show-hidden-files
- For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/win_fcab_show_file_extensions.mspx?mfr=true
- Stopping and starting Windows services:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/What-are-Administrative-Tools
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/What-are-Administrative-Tools
- For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_start_service.mspx
- Enabling Windows Firewall:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Turn-Windows-Firewall-on-or-off
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off
- For Windows XP: http://support.microsoft.com/kb/283673
- Enabling Windows Security Center/Action Center alerts:
- For Windows 7: http://windows.microsoft.com/en-us/windows7/What-happened-to-Windows-Security-Center
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Using-Windows-Security-Center
- For Windows XP: http://support.microsoft.com/kb/889737
- Correctly disabling Autorun in Windows: http://support.microsoft.com/kb/953252
- Using the system's recovery options:
- For Windows XP: Installing and using the Recovery Console in Windows XP
- For Windows Vista: System Recovery Options in Windows Vista
- For Windows 7: System Recovery Options in Windows 7
- For other support and help related articles, go to:
- Windows 7: http://support.microsoft.com/gp/windows7
- Windows Vista: http://support.microsoft.com/ph/11732
- Windows XP: http://support.microsoft.com/ph/1173
- Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx