The Aftermath of the Deadly Win32/Sality Virus


C

casey.o

Now that I have my personal computers fairly back to running normally,
except those who I just formatted and put away in the closet, since I
rarely used them anyhow, I have tackled the ORIGINAL computer that
CAUSED this whole virus attack. This computer was purchased on Ebay,
was just a tower (not a whole system), and came with XP-Pro freshly
installed on the small 40G HDD. I never really intended to use it to
run XP, I bought it because I have an identical motherboard, but needed
a "costly" CPU cooling fan and heatsink, and wanted a nicer case, as
well as a floppy drive since my old one is dying, and a CD drive, since
my old one died and was never replaced.

Anyhow, it cost less to buy this complete tower. with CPU fan, CD
player, floppy drive and a nice case, than to buy everything separately.
plus I got a spare power supply and 40G HDD. Not to mention much more
RAM.

But who would suspect that a fresh install of XP would contain a
virus.... particularly the Sality virus, which (from what I read), is
one of the worst viruses in existance. It's a system killer, and I now
can see that, after having to fomat the HDD on several of my other
computers and start over from scratch. The only OS that survived was
Windows98Se.

Anyhow, I now have this *NEW* tower isolated. I ran salitykiller.exe
(free from kaspersky), and it found and cleaned 439 files, 3 processes,
24 threads. Whether is's completely clean and safe, I dont really know,
but it does appear to be. However, I wont allow any removable media to
enter another of my computers until that media is formatted or
destroyed.

But what remains is only a partial operating system. Only some of the
built in programs work. It boots just fine, and looks normal while it's
booting. But I am finding that loading many of the programs give me
error messages and they wont load. "System File Checker" (SFC) went
bonkers, told me that many .DLL files were missing, and .EXE files were
corrupt or missing. It tols me to insert the XP CD. But I jhave no
intention to repair it. It will get formatted soon. But I decided to
see what damage was done before I do.

After telling me to insert my XP CD, to do the repairs, I clicked on
CANCEL. It would close that window, and create an identical window
immediately. They began to multiply. Soon the whole taskbar was filled
with identical boxes telling me to insert the CD, and the faster I
closed them, the faster more were created. This could have gone on for
infinity, and the START button would not work, nor would CTRL-ALT-DEL.
I finally pulled the plug, and let it reboot. I later found these
endless loops were occuring from other instances or executed .EXE files.

Regedit does work. I opened the registry and found that probably 75% of
all entries have "value not found" or "No Value" in the entries,
particularly in the /Windows and /NT categories. (Compared to looking
at the registry in a normal working XP, these mostly all have some
useful data in them). So, apparently this virus removed much of the
registry, as well as .EXE and .DLL files, as well as modifies some .EXE
files.

In the end, what was once a working install of XP, still looks like XP
should, but it's a worthhless operating system. Much stuff just wont
run, and what does run, is limping along, or causes these endless loops
that can not be stopped.

I was however able to extract the registry key from it, which I wrote
down on paper to avoid copying it via floppy, whichj might possibly
infect another computer again. Now comes the "self destruct" mode.
Since my final goal is to format the drive, I am going to start to abuse
the files. Remove large chunks of the registry, and see how long it
takes to completely die.

But I wanted to share what this virus does, and I will add to this, that
while another of my computers were under attack, I was at a WIFI spot,
and could NOT access any of the Anti-Virus websites, had problems
accessing Microsoft.com, I did manage to start numerous downloads of AV
software from OTHER sites (such as oldapps.com) of AV software and every
one of them got to 99% complete, and quit downloading, yet I did
successfully download unrelated files, and even save a youtube video.
(Somehow, I think the virus detected at 99% that the file was an AV type
file). Of the AV software taht I was able to run, MS Secirity
Essentials ran, but ran for hours until it was destroyed by the virus,
and the MS Maliscious killer app was also consumed and destroyed by the
virus.

I have determined that there is no saving any installation of XP once
this virus gets into the system. I tend to question whether or not it
affected Win2000. Salitykiller.exe did not find problems, but I was not
going to take chances, and I just removed the Win2000 folders and
replaced them from my backups.

I'd tend to believe that Win7 and 8 would also be destroyed, but I dont
use them, so I can only guess....

BTW: Besides salitykiller.exe (Free from Kaspersky)
AVG has avg_remover_slt.exe (also free)

I've run both, several times on all my computers that I use, and scanned
EVERY file. The damages all occurred inside the operating systems, with
the Windows/system32 folder getting hit the hardest, files with .PID
extension ALL getting hit hard (whatever they do?). Files like .JPG,
..TXT, .MP3/MP4, .DOC, and other none executible files were not affected.
According to articles abotu this virus, it affects .EXE and .SCR files.
But I now see it also removes .DLL files and also infests those .PID
files.

That's what I wanted to share......
 
Ad

Advertisements

P

Paul

Anyhow, I now have this *NEW* tower isolated. I ran salitykiller.exe
(free from kaspersky), and it found and cleaned 439 files, 3 processes,
24 threads. Whether is's completely clean and safe, I dont really know,
but it does appear to be. However, I wont allow any removable media to
enter another of my computers until that media is formatted or
destroyed.

I guess this is why the helper person on Bleepingcomputer
was basically saying "level and reload" when he saw the
symptoms in an initial scan log. Usually those people
don't give up on a computer.

Paul
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top