Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Cleaning and preventing PE_SALITY infections

    • Updated:
    • 18 Apr 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2003 Standard Server Edition
    • Windows 2008 Enterprise
    • Windows 7 32-bit
    • Windows XP Professional
Summary

PE_SALITY is known as a fast-spreading file infector, capable of doing the following:

  • Uses advanced techniques in terminating antivirus processes and disabling security applications.
  • Connects to a malicious IRC server/website to download malware.
  • Utilizes a Windows exploit on its shortcut flaw by dropping an LNK file allowing to automatically execute its malware.
  • Drops AUTORUN.INF, allowing execution of the malware file upon access on USB and shared drives.

PE_SALITY continuously evolves from one of the early variants of PE_SALITY.M to SALITY.RL while adopting the latest technology in threats.

For more information about PE_SALITY, click this link.

Learn how to deal with PE_SALITY infections by following the steps in this article.

Details
Public
 
Perform a test run of following steps on selected infected machines before rolling it out to all of the infected computers in the network.

To clean PE_Sality:

  1. Download the PE_Sality fixtool.
  2. Download the latest Controlled Pattern Release (CPR)
  3. Download the latest Spyware Detection and Cleanup (Trend Micro Anti-Spyware) - Ssapiptn.Da6
  4. Extract the PE_Sality fixtool to a temporary directory (i.e. C:\Test).
  5. Extract the CPR (lpt$vpn.xxx) to C:\Test\System\Sysclean.
  6. Extract the spyware pattern (ssapiptn.DA5) to C:\Test\System\Sysclean.
  7. Using GPO or any 3rd party deployment tool (i.e. SMS, BigFix, Altiris), copy the extracted files (mentioned in step #4-6) into the C:\Temp folder of the infected computer(s).
  8. Using GPO or any 3rd party deployment tool (i.e. SMS, BigFix, Altiris), run C:\Temp\Fix.bat. This script file will execute tsc.com and sysclean.com that will remove PE_SALITY infection.
  9. Restart the computer. System reboot is required to completely restore and remove the malware entries and modifications. This new and improved fixtool does NOT require a boot in safe mode to clean PE_Sality. 
  10. Make sure that your Trend Micro product is updated and running to prevent reinfection.

The following technologies implemented by the latest Trend Micro products are the most effective methods of preventing re-infection and future infection of PE_SALITY:

Prevention

  • Malware Behavior Blocking via Behavior Monitoring Settings

    This prevents termination of the Trend Micro products' processes as well as further infection.

    • In OfficeScan, PE_SALITY is prevented with the use of Malware Behavior Blocking.

    • In the Worry-Free Security Client/Server Security Agent, PE_SALITY is prevented with the use of Malware Behavior Blocking.

  • Block AutoRun function in USB devices via Device Access Control

    This prevents infections from USB drives that can be introduced into the environment from a foreign network.

  • Web Reputation

    This prevents introduction of new malware from web sites hosting files associated to PE_SALITY.

  • Scan Network Drive

    This prevents infections from shared drives and folders that is being used by PE_SALITY to propagate. This option will also clean all malware detected files found in the shared drive and folder

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1037686
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.