Win32.sality Detected

Hi,

Just got a pop-up this morn from Webroot Antivirus telling me that I've been infected with Win32.sality virus and to contact Tech Support for help. Apparently, Webroot says in the pop-up message that this is a major infection.

This is interesting because it slipped right through Webroot and did its damage to my system without any files being "quarantined" or "monitored." So, I can't go into System Control -- Start -- Block -- and have Webroot rollback the changes.

It'll be interesting to watch what Tech Support will do in this case where i don't believe anything was journalled.

 

"Sality is a polymorphic type of virus and it's NOT curable.

The two most known type of Polymorphic File Infector viruses are Virut and Sality.

Regular viruses simply create executable some file(s) on your computer and then proceed with all kind of damaging action, they're programmed to do.

Virut and Sality have very same target, but they work in very different way.
They actually replace parts of code of legitimate, vital Windows system files, mostly exe and scr type of files (explorer.exe, svchost.exe, userinit.exe, etc.).
Some other type of files may be affected too, like htm, html, asp and php files.

In case of regular virus, curing action is pretty straightforward; using all kind of special tools, you eliminate files created by said virus.

In case of polymorphic virus, you'd have to start replacing all legit system files with healthy one. In theory....Practically, it's impossible to replace all infected files at once."

 

As a guideline to those who may come across a similar infection, I provide below the instruction I received from Webroot's tech support. Unfortunately, running the Sophos Antivirus file as they requested didn't get rid of the infection on my computer. Luckily, after some Google searching, I stumbled unto a removal tool called "SalityKiller.exe" on Kaspersky's website. Running it appears to have wiped the infection from my system....So far, Webroot scans have come back clean."

Your computer is currently infected with a type of malware known as a "file infector." File infectors add malicious code to legitimate files from your system so that they work as originally intended, but also continually infect other files touched. The most successful way to remove this infection is to backup all your documents and pictures, as well as any other important non-executable files, and use the factory restore disk or factory restore partition that came with your computer.

Although it is possible to remove the infection, the likelihood of successful removal is unpredictable. We have provided instructions for a removal. If carrying out these steps does not remove the infection, the computer will require a re-image/factory restore.

To attempt to remove the infection:

1. Restart your computer in Safe Mode with Networking. If you need instructions for starting your computer in Safe Mode with Networking, click here.

2. Once in Safe Mode with Networking, click the link below to download a file:

http://download.webroot.com/SAV32CLI.exe

3. Follow the correct steps for your Operating System.

Windows Vista/Windows 7:
• Right-click the file and choose "Run as administrator", then wait for the scan to complete.

Windows XP:
• Simply double-click the file to run, then wait for the scan to complete.

It may be necessary to run this scan twice to remove the infection.

If the infection has not been completely removed after two scans, you will need to contact your computer manufacturer or a qualified local technician for assistance in restoring your system to factory condition.

 

Thanks!


And how did Webroot's tech support explain that your pc got infected with Win32.sality despite being protected by WSA?

Funny thing , webroot recomended you to run Sophos Antivirus

Anyway, the general opinion in case of Win32.sality infection is to reimage or reinstall your OS ....and scan all your removabe drives!!!

 

Thx GreekGuy for the sharing of the story with us. While I am obviously happy you got rid of the nasty infection I am not so pleased to learn that the Kaspersky's removal tool earned laurels instead of WSA

Joe don't you think it would be necessary to improve Webroot's (Sophos) removal file?

 

What happened to "Webroot will remove your infection FREE" ?

 

BINGO! You're right! In the light of Webroot selling point (the free of charge removal of infections) the reply provided by the support is completely unacceptable.

 

Interesting! I am now wondering if I should consider the reply I got to a suggestion I made in the Webroot Forum Ideas Exchange in a slightly different light, ie. Webroot DON’T always guarantee a free malware removal service to their licence holders as Prevx did and still do??

I shall carefully watch this space…

 

i kind of agree where it was said that sality should have been detected in the first place. this is a well known virus that even has its own removal tools etc this well known of a virus should imo have been detected. i know no av is 100% but i question why this infection was allowed through. i still like wsa and use it for now but still think it needs some improvement.

 

"Et tu, ProTruckDriver?"

 

I too should reconsider my post made in the referenced thread something like the following
"Webroot doesn't want to mislead discourage potential users that they are often dealing with malwares which cannot be caught and/or removed by WSA and have to be instead removed via support."

 

File infectors are notoriously difficult to remove but this is the first case I've seen where our combined removal tools didn't remove them. Did you write back into support after running the tool and having it not work properly? We have several other methods which we can use on top of the commandline scanner. The "contact your local technician after two scans" sounds like boilerplate text which may have been written before some of our newer tools instead of continuing the dialog where we would try a second attempt.

 

That's good to hear but to avoid it happen again, it would be better if your support encourage a user to come back and continue with support to resolve an issue instead of driving them away.

 

No, I did not write back after Webroot's recommended actions failed to remove the infection.

As you can see in the e-mail I received from Webroot, the instruction I was given was not to write back if Sophos Antivirus failed to clean my computer. I was instructed to take my computer to a tech so it can get reimaged or reformatted. Had I not done some homework myself (and found the Kaspersky clean-up tool) and instead, had followed Webroot's instructions, I would have been facing a costly and time consuming effort to rid my computer of a virus that Webroot not only missed, but in the end, did not even clean.

 

It is inconceivable that Prevx Support would ever, ever have posted a reply like that, “boilerplate text” notwithstanding. Such a reply is so completely antithetical to their culture and what they stood for.

I don't want to sound cynical, but after how many attempts might Webroot decide to abandon the customer to his own devices

Sorry to come across so strongly, but I really feel quite shocked by what GreekGuy reported.

*exact, original words from GreekGuy's post

EDIT: apparently after only ONE attempt according to GreekGuy's post above!?!

 

I will ensure that this text is changed - this was written at a time where there was no "Plan B" (it has been the same since Webroot 7.0). There are facilities within the WSA product and within standalone cleanup tools (which my team has developed) that definitely provide second/third options in the event that we don't clean it up in one shot with the Sophos cleanup tool that we license.

At the very least, we should have remotely investigated the system to harvest samples to diagnose closer to implement automated cleanup the next time around.

We certainly don't intend to shrug the customer off and tell them to go fix it themselves unless it is honestly irreparable, but given that Kaspersky was able to clean it, that certainly was not the case.

Thanks for escalating this up and I'm sorry you ran into a far less than ideal customer experience, but I'll ensure this doesn't happen in the future!

 

If I owned a company and a employee recommended another vendor - competition,would be grounds for termination or a written warning.recommending any other tool other then in house seems a bad buisiness practice IMO. Since kaspersky removal tool has seem do the trick perhaps kaspersky powerful AV engine would have stopped it from the start.No offense intended.

 

That is more than reassuring.

Hypothetically, were this to happen would Webroot offer a 100% Money-Back Guarantee as Prevx do?

 

I thought WR's argument on why they sometimes test poorly, is because WR is different, and even if the machine is infected, WR can magically rollback any and all changes made by the malware?

 

At least they were honest after failing you the first time.

And you didn't stop the monitoring yourself (like I do all the time with known "goodware"), so that means it didn't start monitoring? Is the reason then that this malware you got infected with had maybe a false classification in cloud database (as good)? Or what happened there?

Because I think all stuff unknown to WSA is in fact monitored, at least this is my experience. - Certainly a very interesting case (and sadly a lot went wrong) and I really do hope it was a one-time glitch. Of course such things can happen, but yes .. they shouldn't.

I am running WSA as only AV-solution and hope I can trust it to do it's job if something should once get on my system. So far it doesn't seem to have happened (I check with other on demand AV-solutions all the time in vain) but if somebody knows why I recently get often those annoying Google captchas, please let me know what that could be. This is of course not the thread to discuss that but I thought I'd mention something that I do find strange on my WSA protected system and you could send me a PM

 

thank you for clarification. i have installed and recc wsa on many systems now and a lot of my trust was due to the person being able to get help if they need it when or if im not available (which i almost always am) or if they are away or i am etc.. i did have a client who actually contacted support after they moved from fl to nc and needed help i would have done it remotely for them but they already contacted support and the person remotely fixed the infection for them. so i was very happy with that.

i was still a bit surprised sality was allowed to infect it to begin with though as its a nasty well known infection though i also know there are and will be many new variants all the time if not daily. i would be curious now to know if the variant he had is now detected or not.

thanks for making sure this kind of thing does not happen in the future!

 

If it would have, then why would Kaspersky need to make a special removal tool for it?

File infectors are a mess and nearly impossible to do anything with cleanly. Anything that runs gets infected with it as/before it's running. Sality alone is an infection that is considered nearly if not completely impossible to clean up. Even when -everything- says it's clean, it can still be sitting in a program file that hasn't run recently, waiting to strike. The only way to truly clear Sality is to boot 100% outside the system into a non-Windows environment and compare -everything- against a whitelist, then replace all not-clear files with known-good copies. Anything not on the whitelist or unknown is deleted.

What also makes me wonder... Sality is NOT easy to get normally. With all the cleanups I have done of Malware over the years, I've seen it four times and that's it. Strangely enough, the last time was last week on a Kaspersky machine and they brought it to me because K's cleanup stuff wouldn't keep it gone. It would be "gone" for a while and then "Poink!" it's right back.

By the way, needless to say, DISABLE JAVA IN ALL BROWSERS. The Sality infection last week tracked to a BHEK in an advertisement on a normally-safe site.

 

yes but i can rollback to a image myself and be malware free.seems an odd philosophy to take but if thats how it is then thats how it will be.

 

Agreed

 

You Have a point.

I still dont understand why people dont make a image recovery in cases like this and then restore it and be done with it.