Description date

29 September 2015

Description of malware class


Malware that can self-replicate on a computer's local resources without the authorization of the user.

Unlike worms, viruses do not use network services to spread or gain a foothold on other computers. A copy of the virus reaches remote computers only if an infected item is incidentally activated on another computer for reasons unrelated to the capabilities of the virus itself, for example:

  • When infecting available disks, the virus copied itself to files on a network resource.
  • The virus copied itself to a removable disk or infected files on one.
  • The user sent an email with an infected attachment.

Description of platform


Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description of malware family


Malware of this family comprises widespread polymorphic infectious viruses. The Sality virus was first detected in July 2003. Modifications were made later: its decryption algorithms and methods for infecting programs have changed considerably. The body of the virus is located at the end of the last section of the infected program. The first part of the virus is heavily obfuscated (i.e., the code is obscured) and decrypts the other code. Malicious functions of the virus are implemented as separate modules, which can be downloaded from URLs or via peer-to-peer networking.

Geographical distribution of attacks by the Virus.Win32.Sality family

Geographical distribution of attacks during the period from 27 September 2014 to 27 September 2015

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 India 19.12
2 Vietnam 18.47
3 Algeria 5.68
4 Russia 5.10
5 Egypt 4.20
6 Bangladesh 3.64
7 Indonesia 2.59
8 Turkey 2.14
9 Brazil 2.06
10 Nepal 1.76

* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware