PandaLabs - New Sality.AO Infecting Computer Users

PandaLabs, the malware detection and analysis laboratory of Panda Security, has discovered that a significant number of PCs have been infected with a virus named Sality.AO. It is therefore advising computer users to remain wary and cautious of the worm.

PandaLabs detected the virus for the first time in early February 2009; however, it issued the warning on February 18, 2009 through its security advisory.

Describing Sality.AO, PandaLabs' security experts stated that it had combined traits of conventional viruses that infect computers in as many numbers as possible for gaining notoriety for its authors and the functions of modern malware that generate financial benefits for cyber criminals.

The virus also employs certain methods that haven't been visible for many years, says Panda Security. These methods like Cavity or Emergency Power Off (EPO) work to modify the original computers files so that they can be infected.

Explaining EPO and Cavity further, the security experts said that EPO lets an original file to run prior to the start of infection, so that malware detection becomes difficult. On the other hand, Cavity inserts the virus into the empty spaces of a legitimate file to make detection and removal of malware more difficult.

Apart from these techniques, the virus exhibits another feature - its capability for establishing connection with Internet Relay Chat channels to obtain commands from a remote source, making a zombie to infected PC that could be used for spamming, malware dissemination or denial-of-service attacks.

According to PandaLabs' security experts, a crucial function of Sality.AO is that it does not confine its infections to only computer files, just as traditional viruses did, but it also seeks to spread all over the Internet.

Carlos Zevallos, Security Evangelist at Panda Security, reported that the virus has already infected around 15,000 PCs across 31 countries, primarily Portugal, Spain, Argentina, Brazil and the US, as reported by SCMagazineUS on February 19, 2009.

Security company, McAfee, describes Sality.AO as parasitic, implying it infects .scr and .exe files by overwriting the code of a legitimate file with its own malicious one.

Related article: PandaLabs Report Discusses Movie Trojan and Other Worms

» SPAMfighter News - 3/5/2009