Name :	Sality.Q
Size:	20480 Bytes
Category:	Virus
Type:	Virus
Date of Discovery:	August 14, 2006

Sality.Q is an appending polymorphic file infector that uses an entry point obscuring technique. Unlike other file infectors that modify the entry point of the host file to point to the virus code, Sality.Q replaces 122 bytes from the beginning code of the host file with its decryption routine and hides it in its code. It stores the original code 1,422 bytes away from the start of the last section.

Automatic Disinfection

Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:

http://www.f-secure.com/download-purchase/tools.shtml

ftp://ftp.f-secure.com/anti-virus/tools/

F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:

http://www.f-secure.com/download-purchase/

All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:

http://www.f-secure.com/download-purchase/updates.shtml

Manual Disinfection

It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.

System Restore issue and file viruses

If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:

Windows ME:

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:

http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.

When the infected executable file has been run, it will drop the following .dll components:



It will then load the vcmgcd32.dll file, which contains the malicious routine. After successfully installing its components, it will then execute the original host file's code to prevent the user from suspecting infection.


It creates the following mutexes to make sure that only one instance of its .dll component is running in memory:



It can infect any of the following extensions by searching for files starting from "C:\":



It also infects files with .EXE extensions that are referenced as data in the following registry keys:



Sality.Q appends itself by creating a new section with a section name of "{random characters}data" and has a size of 20480 Bytes.


It also tries to delete files and processes related to some antivirus products.


It deletes files that it finds with any of the following extensions:



Moreover it also deletes files with filenames that starts with any of the following strings:



It may also kill processes that starts with the following strings:



It checks for an Internet connection by querying:



It then attempts to connect to the following URLs:



It also modifies %windir%\SYSTEM.INI by adding a section called MCIDRV_VER with key DEVICE and putting a random value inside it.

Example:


The .DLL component can steal cached passwords and also has key logging capabilities. It is injected in all running processes.