While active, Sality.S terminates running processes with names associated with common antivirus programs.
Sality.S is an appending, polymorphic file infector that uses an entry point obscuring technique. During infection, it replaces 129 bytes from the beginning of the host file's code with its decryption routine, then hides the replaced code in its own code. The virus's own code is encrypted and appended to the host file as a new section, with a random name and a size of 28672 bytes.
A detailed description of Sality's method of operation is available in the description of Virus.Win32.Sality.Q
During installation, Sality.S creates the following files:
- %windir%\system32\wmdrtc32.dl_ - Archived copy of wmdrtc32.dll
- %windir%\system32\wmdrtc32.dll - Detected as Virus.Win32.Sality.S
- %windir%\system32\drivers\ekkkjn.sys - Detected as Virus.Win32.Sality.S
It modifies the file %windir%\system.ini by adding the following:
In addition, the following is loaded into all processes
Sality.S deletes a large number of registry keys, a small sample of which is listed in this description.