Posted: March 28, 2006
Threat Metric
Threat Level: 7/10
Infected PCs 8,530

Sality Description

The Sality Trojan is an exceptionally complex threat that uses advanced coding techniques to propagate, avoid detection and avoid deletion simultaneously. Sality's primary purpose is to download other malware onto the infected computer, but Sality is also a confirmed keylogger and backdoor Trojan that disables security and steals private data like account passwords. This virus is years old, but has had new versions come out on a regular basis and is sufficiently dangerous that deleting Sality should be accomplished by updated and powerful anti-malware programs.

Blocking Off Sality Infection Routes

Sality can attack Windows operating systems as recent as XP or as old as Windows 98. The first appearances of the Sality virus were in 2003, but recent versions have popped up even in 2010, making Sality an ongoing and evolving threat.

The probable origin of Sality is Russia, but given Sality's infection rates there's a fair chance of you encountering Sality 'in the wild' from file sources in other regions as well. Sality may also be detected under W32/Kookoo-A by some anti-malware programs, if you're 'lucky' enough to find it in a scan.

Infections of Sality are extremely difficult to spot, since the code is polymorphic and will take steps to obscure itself from casual detection. Sality will infect executable files on all drives, including network-shared files and files on removable drive devices. This allows Sality to spread easily, provided there are other appropriate files for Sality to infect. Sality will even search through the Windows Registry specifically to look for executables that start when Windows does, and infect them as well!

Defeating Sality and Its Attacks

Although Sality propagates like a virus, Sality has functions characteristic of other kinds of malware threats:

  • Sality will act like a Trojan and download malware onto your machine. This is the primary purpose of the Sality virus; the other malware may be used for an assortment of purposes, such as spying on passwords or other delicate info, hijacking your web browser or allowing easier attacks by remote criminal entities.
  • Sality will also open up a security backdoor that's exploitable by remote criminals. Attacks used by remote criminals can be as broad as the possible malware Sality installs. The most widely-publicized, but not necessarily most damaging remotely-controlled PC attack is recruitment into a botnet that enables widespread Denial-of-service attacks.
  • Your security settings will be harmed by Sality's presence, and it will also attempt to shut down various security-related applications such as anti-virus scanners and Windows-central tools.
  • Lastly, Sality is also a keylogger and can record and send out any keyboard input for the benefit of remote attackers. Passwords and other private information should be considered at risk even if you don't necessarily type them completely (for example, if they're saved in website-specific settings).

Removing Sality is even more difficult than removing a typical virus. Sality will inject itself into all running processes except for those belonging to local services, networks or the system, thus allowing Sality to run without being seen. A second dirty trick up Sality's sleeve is its ability to continue running even in Safe Mode.

Due to the sophisticated, multi-layered and incredibly threatening nature of this virus, deleting Sality should be handled by a qualified expert or by a program designed to handle critically urgent threats. You should never try to continue using a Sality-infected PC as though everything is normal; the scope of the damage Sality is capable of inflicting is difficult to exaggerate!


Trojan.Win32.Downloader.81920.OTROJ_SALITY.AM [TrendMicro]W32.Sality.AB [Symantec]W32/Sality-AM [Sophos]Trojan.PCK.CryptPack.ACloaked Malware [Prevx1]Win32.Sality.AJW32/Sality.AC.worm [Panda]Trojan/W32.KillAV.81920.CW32/Agent.DTQNWin32/Sality.AD [NOD32]Worm:Win32/Sality.AH!dll [Microsoft]W32/Sality.dll [McAfee]Virus.Win32.Sality [Ikarus]W32/KillAV.NH!tr [Fortinet]
More aliases (29)

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Sality may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

qp673812.dll File name: qp673812.dll
Size: 81.92 KB (81920 bytes)
MD5: 72410784cc6a484cc839f254d68e0eea
Detection count: 82
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: December 11, 2009
winjmxy.exe File name: winjmxy.exe
Size: 19.96 KB (19968 bytes)
MD5: c24411d4e373e19404eb3154f3233ad0
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
load[1].exe File name: load[1].exe
Size: 81.4 KB (81408 bytes)
MD5: 426444c904c4d960118913467204ed0d
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
winafoe.exe File name: winafoe.exe
Size: 17.92 KB (17920 bytes)
MD5: 334215be25fe0b1d4ce4286318fd0472
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: September 30, 2020
bd3q0qix.exe,vamsoft.exe File name: bd3q0qix.exe,vamsoft.exe
Size: 181.76 KB (181760 bytes)
MD5: e7b53d00459864b22552f7119179fd29
Detection count: 32
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
7g7G8B2C.exe File name: 7g7G8B2C.exe
Size: 73.72 KB (73728 bytes)
MD5: f339095d454772ad8cb9c340f13e1678
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009

More files

Related Posts


Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.