Aliases: Backdoor.SDBot.DFEP, Backdoor.Win32.SdBot.crr
Variants: IRC/BackDoor.SdBot3.ZBO, W32/Sdbot-DJV, W32/SDBot.BIFZ

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 11 Jan 2008
Damage: Low

Characteristics: W32.Sality.AB is a virus that propagates by infecting executable files. It also attempts to download other malicious files from remote locations. The virus infects .exe and .scr files. And once the system is infected, it may lower the computer's security settings. Systems affected by this worm are Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, and Windows XP.

More details about W32.Sality.AB

When the virus is executed, it drops %System%\[RANDOM].dll, %Temp%\[RANDOM].tmp, %System%\[RANDOM].dl_ and %System%\drivers\[RANDOM].sys files. The virus also creates the mutex so that only one instance of the virus is running. It modifies and deletes registry entries. It registers the file %System%\drivers\[RANDOM].sys as a new service and stops antivirus services. The virus is likely to infect all executable .scr files on the C drive, registry and on any writable network resource, except the files on any folder with “system” and “ahead” strings. The infected file size would then be increased to 57,344 bytes. The virus connects to the particular URLs to get instructions. These instructions contain additional URLs to possibly download other malicious files.

The W32.Sality.AB program comes with a rootkit tool. A rootkit program may conceal the existence of the application in the user’s computer. The rootkit feature replaces the file names of the program’s components to appear as legitimate Windows files. The rootkit function of the application may also disable security tools installed on the computer. It may terminate personal firewalls and anti-virus programs running on the background.