Sality.NAU

Discussion in 'ESET NOD32 Antivirus' started by mastj25, Jun 1, 2010.

Thread Status:
Not open for further replies.
  1. mastj25

    mastj25 Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    22
    I have seen a rash of this virus this morning on a few of our fileservers. It is quarantining alot of files that are legit (ex. AD tools) and they are all tagged with the sality virus and once I stop the scan and restart it, it seems to stop tagging files with the virus. Anyone else seeing anything like this? It's happening with ver 3 and 4 clients.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Something is infecting those files. Either the virus is spreading via network shares (make sure that you don't have system folders shared and also that admin passwords are strong enough) or you've run an infected file that is carrying on infecting other files. I'd suggest booting from a rescue cd and cleaning the computer.
     
  3. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    I am seeing something similar also, but not the sality virus. MS SQL Files that are NOT infected were quarantined with Win32/Agent trojan. Dtswiz.exe and logread.exe were quarantined on multiple servers. I find it extremely hard to believe that these files are now infected, on multiple SQL servers. I'm still looking into it....
     
  4. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    None of the files I had quarantined were Sality.NAU, so my circumstances are different. However, something must have changed as these files have been scanned hundreds of time and been clean until yesterday.

    I found the SQL files that were quarantined were from several quite old Install folders that we have for a couple specific and specialized pieces of software that are quite old. Inside the install folders there was an MSDE folder (I believe from SQL 7) with various files. That is where the SQL files were getting quarantined from.

    I submitted them for analysis, so hopefully that issue is fixed in future definitions.
     
Thread Status:
Not open for further replies.