Presence of the specified files.
Size of executable files increased with approximately 20 kB.
Please let BitDefender disinfect your files.
Dan Anton, virus researcher
Win32.Sality.M is a polymorphic file infector that affects PE executable files. When an infected executable has been run, it drops the following files:
It appends the following lines at the end of the %windir%\system.ini:
The dropped dll file is injected in all running processes and start infecting all .exe and .scr files on all drives, except files from the directories that contain the following strings:
After each drive infection, it tries to infect all .exe files contained in the following registry subkeys:
It creates the following mutexes in order to check the presence of the infecting .dll file in memory:
It deletes all files with the following extensions:
and all files that start with the following strings:
It also kills all processes that start with the following strings:
%system% refers to the System32 directory (default is: C:\Windows\System32)
%windir% refers to the Windows directory (default is: C:\Windows)