Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


Sality.AO carries out the following actions:

  • It infects the following files:
    - files with an EXE and SCR extension.
    - files with an ASP, HTM and PHP extension by using the following script:

    It adds this script in the files it finds in the affected computer.
    This script allows the virus to download different types of malware to the affected computer.
  • It reduces the security level of the computer, as it adds itself to the list of authorized applications by the firewall, in order to avoid being blocked.
  • It connects to an IRC channel and waits for remote instructions, such as downloading files or stealing information. In order to do so, it modifies the HOSTS file adding the following string:
  • It disables Windows File Protection (WFP) and the checking of these files when Windows is started:
    - Windows File Protection prevents critical Windows system files from being replaced. Programs must not overwrite these files because they are used by the operating system and other programs.
    - The System File Checker tool checks if the protected files have been modified. If so, it recovers the original protected files.
    As it disables both features, the Windows protected files can be modified, which could cause problems with the operating system and the installed programs.

Infection strategy 

Sality.AO infects the files with an EXE and SCR extension it finds in the computer, using the technique which consists in entering its code at the end of the file it infects. By doing this, it ensures that the virus is run every time the infected file is executed, but without interfering the functioning of the file.

It also infects the files with an ASP, HTM and PHP extension it finds in the computer by adding them a script that allows the virus to download malware to the infected computer.


Sality.AO modifies the HOSTS file in order to connect to an IRC channel.


Sality.AO creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %sysdir%\winlogon.exe = %sysdir%\winlogon.exe:*:enabled:@shell32.dll,-1

    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPol icy\StandardProfile\AuthorizedApplications\List
    %sysdir%\winlogon.exe = %sysdir%\winlogon.exe:*:enabled:@shell32.dll,-1

    It creates these entries in order to add itself to the list of applications authorized by the firewall.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum
    0 = SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
    UpdateHost = 00, 50, 3D, EB, 75, 51
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer
    UpdateHost = 00, 50, 3D, EB, 75, 51
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{7504870 0-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\5p18r829-rs40-465o-n1qq-3sp9rprs8p87 - svkzncv_.rkr = 08, 00, 00, 00, 06, 00, 00, 00, 40, 09, FD, 1B, 24, 90, C9, 01
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum
    0 = SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

Means of transmission 

Sality.AO infects executable files with an EXE and SCR extension, and files with an ASP, HTM and PHP extension. They reach computers when previously infected files are distributed, entering computers through any of the usual channels: floppy disks, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.

Further Details  

Sality.AO is 8,457 bytes in size.