29 September 2015
Description of malware class
Malware that can self-replicate on a computer's local resources without the authorization of the user.
Unlike worms, viruses do not use network services to spread or gain a foothold on other computers. A copy of the virus reaches remote computers only if an infected item is incidentally activated on another computer for reasons unrelated to the capabilities of the virus itself, for example:
- When infecting available disks, the virus copied itself to files on a network resource.
- The virus copied itself to a removable disk or infected files on one.
- The user sent an email with an infected attachment.
Description of platform
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.
Description of malware family
Malware of this family comprises widespread polymorphic infectious viruses. The Sality virus was first detected in July 2003. Modifications were made later: its decryption algorithms and methods for infecting programs have changed considerably. The body of the virus is located at the end of the last section of the infected program. The first part of the virus is heavily obfuscated (i.e., the code is obscured) and decrypts the other code. Malicious functions of the virus are implemented as separate modules, which can be downloaded from URLs or via peer-to-peer networking.
Geographical distribution of attacks by the Virus.Win32.Sality family
Geographical distribution of attacks during the period from 27 September 2014 to 27 September 2015
Top 10 countries with most attacked users (% of total attacks)
|Country||% of users attacked worldwide*|
* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware