Cleaning and preventing PE_SALITY infections

Product / Version includes:

OfficeScan11.0 , Worry-Free Business Security Advanced8.0 , Worry-Free Business Security StandardAll , Worry-Free Business Security AdvancedAll

Last updated: 2021/08/28

Solution ID: KA-0002159

Category: Remove a Malware / Virus

Summary

PE_SALITY is known as a fast-spreading file infector, capable of doing the following:

Uses advanced techniques in terminating antivirus processes and disabling security applications.
Connects to a malicious IRC server/website to download malware.
Utilizes a Windows exploit on its shortcut flaw by dropping an LNK file allowing to automatically execute its malware.
Drops AUTORUN.INF, allowing execution of the malware file upon access on USB and shared drives.

PE_SALITY continuously evolves from one of the early variants of PE_SALITY.M to SALITY.RL while adopting the latest technology in threats.

For more information about PE_SALITY, click this link.

Learn how to deal with PE_SALITY infections by following the steps in this article.

EXPAND ALL

Removing PE_Sality from infected computers

Perform a test run of following steps on selected infected machines before rolling it out to all of the infected computers in the network.

To clean PE_Sality:

Download the PE_Sality fixtool.
Download the latest Controlled Pattern Release (CPR).
Download the latest Spyware Detection and Cleanup (Trend Micro Anti-Spyware) - Ssapiptn.Da6.
Extract the PE_Sality fixtool to a temporary directory (i.e. C:\Test).
Extract the CPR (lpt$vpn.xxx) to C:\Test\System\Sysclean.
Extract the spyware pattern (ssapiptn.DA5) to C:\Test\System\Sysclean.
Using GPO or any 3rd party deployment tool (i.e. SMS, BigFix, Altiris), copy the extracted files (mentioned in step #4-6) into the C:\Temp folder of the infected computer(s).
Using GPO or any 3rd party deployment tool (i.e. SMS, BigFix, Altiris), run C:\Temp\Fix.bat. This script file will execute tsc.com and sysclean.com that will remove PE_SALITY infection.
Restart the computer. System reboot is required to completely restore and remove the malware entries and modifications. This new and improved fixtool does NOT require a boot in safe mode to clean PE_Sality.
Make sure that your Trend Micro product is updated and running to prevent reinfection.

Preventing PE_SALITY infections

The following technologies implemented by the latest Trend Micro products are the most effective methods of preventing re-infection and future infection of PE_SALITY:

Prevention

Malware Behavior Blocking via Behavior Monitoring Settings
This prevents termination of the Trend Micro products' processes as well as further infection.
- In OfficeScan, PE_SALITY is prevented with the use of Malware Behavior Blocking.
- In the Worry-Free Security Client/Server Security Agent, PE_SALITY is prevented with the use of Malware Behavior Blocking.
Block AutoRun function in USB devices via Device Access Control
This prevents infections from USB drives that can be introduced into the environment from a foreign network.
Web Reputation
This prevents introduction of new malware from web sites hosting files associated to PE_SALITY.
Scan Network Drive
This prevents infections from shared drives and folders that is being used by PE_SALITY to propagate. This option will also clean all malware detected files found in the shared drive and folder

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Cleaning and preventing PE_SALITY infections

Removing PE_Sality from infected computers

Preventing PE_SALITY infections

Cleaning and preventing PE_SALITY infections

Product / Version includes:

Summary

Removing PE_Sality from infected computers

Preventing PE_SALITY infections