cancel
Showing results for 
Search instead for 
Did you mean: 

Sality Virus - not so simple!

Wondering if anyone can help. We have several computers that run McAfee Total Protection for Small Business that have become infected with Sality.NAR (according to a NOD scan). All automatically update their AV defs.

Unfortunately, the first thing that happens is McAfee gets disabled and you can't re-enable it. You can't reboot into safe mode (try and it just reboots) without doing a windows repair and if you uninstall McAfee you can't get it re-installed (can't even copy the install binary to the machine, or even get to the McAfee website!).

We have installed AVG which detects the threat as Tanatos.M (which fits none of the symptoms and seems unlikely) and has a go at repairing but doesn't get it completely removed.

We did get McAfee re-installed on one PC after the NOD scan which sort of worked but the machine keeps getting reinfected and McAfee keeps getting disabled again. We have completed some McAfee scans and they found Sality, removed them apparently then got disabled again and virus still there if you recheck.

On another PC (after AVG) cannot install McAfee with the original problem as trying to reinstall prior to running AVG on all the PC's (gives a cab file warning telling us to upgrade our IE, despite being on latest versions).

Can anyone help? It is driving us mad
8 Replies

Sality Virus - not so simple!

We are having a similar problem, but our detected threats are W32/Sality.stub, W32/Sality.ad, and W32/Sality.dll. This is a large Enterprise, so this nasty has spread quickly to thousands of machines and many servers.

So far, for us, it only affects machines that are not protected with McAfee, or have the local McAfee related services disabled. We have been able to isolate Sality somewhat by strengthening the On-Access scanning policies on the File Servers. We used the AVG removal tool just as you did on some machines with success. However neither the CMA (agent) nor VirusScan Enterprise will install on a box (client or server) that was previously infected with Sality.

I have noticed that McAfee's application installers are no longer able to add the required registry settings to create services. I'll be digging into this more as time allows and post findings and an example Framework install log.
Grif
Level 10
Report Inappropriate Content
Message 3 of 9

RE: Sality Virus - not so simple!

XMason,

Just a thought.. Have you tried updating the corporate 8.5i VirusScan to the newest release of the 5300 Scan Engine..? It was released for manual download last week and won't be activated in the full/automatic updates for a couple of weeks. I've now installed it on about 40 machines and it seems to work well. It might be worth a try to manually install the 5300 scan engine on an infected computer and run the scan with the new virus defs.. Maybe it will remove the problem correctly. (The manual scan engine update won't work correctly on the retail versions of McAfee because they use a different type of updater.)

Here's the link:

http://www.mcafee.com/apps/downloads/security_updates/engines.asp?region=us&segment=enterprise

For writeups about those detections, see the links below:

W32/Sality.ad

W32/Sality.stub

W32/Sality.dll

As to a fix for your inability to reinstall McAfee, after you've removed the virus and are sure it's not in the system restore volumes (be sure to check for the .dll files mentioned in the "W32/Sality.ad" link above), have you tried running SR back to a time when things were functioning correctly..? It may remove those registry blocks which are preventing McAfee from installing.

Hope this helps.

Grif
Highlighted

Sality Virus - not so simple!

Thanks Grif for the great ideas.
I haven’t upgraded the engine in quite awhile; I'll definitely get the clients upgraded. Actually, our existing products do find and remove Sality before infection. However, we are in a rollout phase with the workstations (client scope) and have about 11,000 more to upgrade. Those machines have CA eTrust on them, and eTrust is allowing them to get infected, making our rollout difficult.

The server scope is done, however unlike the client side (which is really locked down), Access Protection is not enabled on servers (company policy). So our app owners, web support, DBA's and developers can disable McAfee services at will.

With so many machines, I have to script everything. I'll have to play with an infected machine a bit to see if I can script a pre-scan/repair/rollback before pushing the agent. No rollback on servers though...we are rebuilding those
Grif
Level 10
Report Inappropriate Content
Message 5 of 9

RE: Sality Virus - not so simple!

No real solution to your problem here but...

A note on this particular virus.. One of the primary ways of spread is its ability to check for network shares, and once found, the .exe and .scr files on the "shared" directories are then infected as well. If you haven't already, strengthen the security for the shared directories..

In addition, since this particular virus can be dropped by other malware, it might be a good idea to check for spyware type issues by using the free removal tool below.. Performing a full cleanup with the tool might allow McAfee to install correctly. Still, on 11,000 machines, it might not be a workable solution.

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

I also found this information about the virus which provides some additional virus file names that could be on an infected computer:

http://www.threatexpert.com/threats/w32-sality-ad.html

Hope this helps.

Grif

RE: Sality Virus - not so simple!

Any success getting rid of this? Am a home user with identical problems.

I can't run a DOS scan in safe mode, because as the original poster said, it won't let you boot to safe mode.

I've run the DOS scan twice out of the windows environment and it says it removes "W32/Sality.ag" virus, but I still can't get to McAfee.com to do a full Total Protection install.

Any help?

RE: Sality Virus - not so simple!

We did manage to clear this. We downloaded a trial version of AVG (www.avg.co.uk or www.avg.com) which at least loads, unlike our McAfee. We needed to run a full scan with this about 3 times on each PC. We could then re-install McAfee, although uninstall on the original often failed and we required the McAfee clean up tools http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033

Good luck and hope it works.

RE: Sality Virus - not so simple!

Thanks very much for the reply. I think (with the help you provided) that the virus is gone after running AVG a couple of times. Total Protection is up and running and things appear to be running fine. I really appreciate you saving me a $100 trip to the repair shop!

Deployed anyway...

Re:
W32/Sality.ad
W32/Sality.stub
W32/Sality.dll

We were concerned about a national McAfee rollout to thousands of un-protected workstations & laptops with a known Sality outbreak. I pulled the trigger anyway and deployed the agents. Less than %5 of the launch failed, and VSE 8.5i cleaned up our field environment very well.

Sality continues to show up here and there on our server network, but it's getting better. Some things that helped us:

  1. If you choose to scan default files only with the On-Access scanner, make sure you add TMP files to the list. Sality spread from server to server on our network via Admin users TMP files.
  2. Don't leave McAfee services unprotected. We found application server owners disabling McShield as a part of a 'standard troubleshooting step' and then leaving it disabled. Use the access protection feature.
  3. Definitely make sure you have the 5300 engine deployed throughout, with updated DATS.
  4. Sality did corrupt some shared use executables on our network, rendering them useless after a virus clean. Leaving them infected, the applications would still operate, but the Virus would continue to spread.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community