Virus

Should I remove “Virus:Win32/Sality.AU”?

Malware Removal

The Virus:Win32/Sality.AU is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Virus:Win32/Sality.AU virus can do?

  • Executable code extraction
  • Injection with CreateRemoteThread in a remote process
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Creates RWX memory
  • A process attempted to delay the analysis task.
  • Expresses interest in specific running processes
  • Unconventionial binary language: Russian
  • Unconventionial language used in binary resources: Russian
  • The binary likely contains encrypted or compressed data.
  • Code injection with CreateRemoteThread in a remote process
  • Installs itself for autorun at Windows startup
  • Operates on local firewall’s policies and settings
  • Attempts to disable UAC
  • Attempts to modify or disable Security Center warnings
  • Anomalous binary characteristics
  • Attempts to modify Explorer settings to prevent hidden files from being displayed

Related domains:

z.whorecord.xyz
a.tomx.xyz

How to determine Virus:Win32/Sality.AU?


File Info:

crc32: 13054D19
md5: f04527ab6fbe2e2c9def4ea5c400c753
name: F04527AB6FBE2E2C9DEF4EA5C400C753.mlw
sha1: f16718a110a10ba5dade87c4ec3bd51c0bc2eb5b
sha256: 65d452037fe5b0178ba3d8b1ae2f7b556d5a06f93e1079725637251fca3875cd
sha512: e3396309440379c302624589e987faf3ca923a9ca60cc89f984f65b97fb29f2e2bab57b9e0b02519b0635b9325e0b641222897d001cf8545ecdb529eab8227e6
ssdeep: 3072:xaJW2qohu1mfiXE9oZkabtbonkOG/vT/MIccu+7JRqe2U6a+ItB0oCZCF:oJpEAfi+ovh0nBG3LM23J2UD+auoT
type: PE32 executable (console) Intel 80386, for MS Windows

Version Info:

LegalCopyright: xa9 x41ax43ex440x43fx43ex440x430x446x438x44f x41cx430x439x43ax440x43ex441x43ex444x442. x412x441x435 x43fx440x430x432x430 x437x430x449x438x449x435x43dx44b.
InternalName: qappsrv
FileVersion: 5.1.2600.0 (xpclient.010817-1148)
CompanyName: x41ax43ex440x43fx43ex440x430x446x438x44f x41cx430x439x43ax440x43ex441x43ex444x442
ProductName: x41ex43fx435x440x430x446x438x43ex43dx43dx430x44f x441x438x441x442x435x43cx430 Microsoftxae Windowsxae
ProductVersion: 5.1.2600.0
FileDescription: x423x442x438x43bx438x442x430 x437x430x43fx440x43ex441x430 x441x435x440x432x435x440x430 x442x435x440x43cx438x43dx430x43bx43ex432
OriginalFilename: qappsrv.exe
Translation: 0x0419 0x04b0

Virus:Win32/Sality.AU also known as:

BkavW32.Sality.PE
DrWebWin32.Sector.30
MicroWorld-eScanWin32.Sality.3
CAT-QuickHealW32.Sality.U
CylanceUnsafe
ZillyaVirus.Sality.Win32.25
SangforMalware
CrowdStrikewin/malicious_confidence_100% (W)
AlibabaVirus:Win32/Sality.6c134e8a
K7GWVirus ( f10001071 )
K7AntiVirusVirus ( f10001071 )
TrendMicroPE_SALITY.RL
BaiduWin32.Virus.Sality.gen
CyrenW32/Sality.gen2
ESET-NOD32Win32/Sality.NBA
ZonerTrojan.Win32.Sality.22009
APEXMalicious
TotalDefenseWin32/Sality.AA
AvastWin32:Kukacka
GDataWin32.Sality.3
KasperskyVirus.Win32.Sality.gen
BitDefenderWin32.Sality.3
NANO-AntivirusVirus.Win32.Sality.beygb
ViRobotWin32.Sality.Gen.A
TencentVirus.Win32.TuTu.tv
Ad-AwareWin32.Sality.3
SophosMal/Sality-D
ComodoVirus.Win32.Sality.gen@1egj5j
F-SecureMalware.W32/Sality.AT
BitDefenderThetaAI:FileInfector.A5ECCBAB0E
VIPREVirus.Win32.Sality.at (v)
Invinceaheuristic
McAfee-GW-EditionBehavesLike.Win32.Virut.cc
Trapminemalicious.high.ml.score
FireEyeGeneric.mg.f04527ab6fbe2e2c
EmsisoftWin32.Sality.3 (B)
SentinelOneDFI – Malicious PE
F-ProtW32/Sality.gen2
Endgamemalicious (high confidence)
AviraW32/Sality.AT
Antiy-AVLVirus/Win32.Sality.gen
KingsoftWin32.Sality.ab.173464
MicrosoftVirus:Win32/Sality.AU
JiangminWin32/HLLP.Kuku.poly1
ArcabitWin32.Sality.3
AegisLabVirus.Win32.Sality.v!c
ZoneAlarmVirus.Win32.Sality.gen
TACHYONVirus/W32.Sality.D
AhnLab-V3Win32/Kashu.E
Acronissuspicious
McAfeeW32/Sality.gen.z
MAXmalware (ai score=86)
VBA32Virus.Win32.Sality.bakb
PandaW32/Sality.AA
TrendMicro-HouseCallPE_SALITY.RL
RisingVirus.Sality!1.A5BD (CLOUD)
YandexWin32.Sality.BK
IkarusVirus.Win32.Sality
MaxSecureVirus.Sality.BH
FortinetW32/Sality.AF
AVGWin32:Kukacka
Paloaltogeneric.ml
Qihoo-360Virus.Win32.Sality.I

How to remove Virus:Win32/Sality.AU?

Virus:Win32/Sality.AU removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment