A new variant of the Sality virus (W32/Sality-AM) was seen by the Australian lab last night. The polymorphic file infecting virus is quite destructive by today’s standards and uses several tricks to make detection and disinfection difficult.

Testing in the lab proved that new runtime HIPS developments are still performing well against these threats and several behaviours are detected and prevented when W32/Sality-AM is running.

Like other variants of the Sality family W32/Sality-AM includes code to inhibit the use of security software and to disable certain operating system tools to make the presence of the virus less obvious. These behaviours are prevented by HIPS rutime analysis by HIPS/Regmod-008 and HIPS/RegMod-009 respectively.

As mentioned above, W32/Sality-AM is pretty destructive and it removes a portion of the registry so that the machine can not be booted into safe mode to aid disinfection. A new HIPS runtime analysis rule, HIPS/RegMod-016, developed to coincide with the release of SAV 7.6.0 prevents this behaviour.

By using the HIPS runtime analysis feature of SAV as advised on the Sophos website the functionality of W32/Sality-AM will be significantly reduced and users will be better placed to diagnose any issues and submit files to SophosLabs for analysis.