W32.Sality.AE

Hi All,

Now the days every system is being getting infected by virus. Every day new new viruses are being getting spread. Recently my system was been infected by W32.Sality.AE virus. It’s an LOW risk virus. Though, I thought of to remove from my system. I used Symantec antivirus to do this. Actually this virus spreads internally and infects all the exe’s of you system. All the exe’s will get corrupt finally.

While I am doing some search in net, I got some interesting information about this virus. Probably, this could help you also some time.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99

W32.Sality.AE

Risk Level 1: Very Low

Also Known As: TROJ_AGENT.XOO [Trend], W32/Sality.ae [McAfee], Sality.AG [Panda Software], Win32/Sality.Z [Computer Associates], Win32/Sality.AA [Computer Associates]

Type: Virus

Infection Length: 57,344 bytes

Systems Affected: Windows XP, Windows NT, Windows 2000

W32.Sality.AE is a virus that spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

Note: Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it. For more information, see the following document:

I got some more information from the Microsoft site just to enable and disable the autorun feature of the OS. This could help us to disable the virus spread through AutoRun. Take a look of the following link.

http://msdn.microsoft.com/en-us/library/bb776825.aspx

Enabling and Disabling AutoRun

There are many situations where AutoRun may need to be temporarily or persistently disabled. For example, AutoRun might interfere with the operation of a running application and need to be disabled for the duration. The system provides several ways to disable AutoRun.

• Suppressing AutoRun Programmatically
• Using the Registry to Disable AutoRun
• AutoRun for Other Types of Storage Media

Suppressing AutoRun Programmatically

There are a variety of situations where AutoRun may need to be suppressed programmatically. Two examples are:

• Your application has a setup program that requires the user to insert another disc that may contain an Autorun.inf file.
• During the operation of your application, the user may need to insert another disc that may contain an Autorun.inf file.

In either case, you will normally not want to launch another application while the original is in progress.

Users can manually suppress AutoRun by holding down the SHIFT key when they insert the CD-ROM. However, it is usually preferable to handle this operation programmatically rather than depending on the user.

With systems that have Shell version 4.70 and later, Microsoft Windows sends a "QueryCancelAutoPlay" message to the foreground window. Your application can respond to this message to suppress AutoRun. This approach is used by system utilities such as the Open common dialog box to disable AutoRun. You will not get a "QueryCancelAutoPlay" message with versions of Windows 95 that do not have the Microsoft Internet Explorer 4.0 integrated Shell installed.

The following code fragments illustrate how to set up and handle this message. Your application must be running in the foreground window. First, register "QueryCancelAutoPlay" as a Windows message:

uMessage = RegisterWindowMessage(TEXT("QueryCancelAutoPlay")); 

Your application's window must be in the foreground to receive this message. The message handler should return TRUE to cancel AutoRun and FALSE to enable it. The following code fragment illustrates how to use this message to disable AutoRun.

UINT g_uQueryCancelAutoPlay = 0;

LRESULT WndProc(HWND hwnd, UINT uMsg,  WPARAM wParam, LPARAM lParam) 

{ 

    switch (uMsg) 

    { 

    ... 

    default: 

        if (!g_uQueryCancelAutoPlay)

        { 

            g_uQueryCancelAutoPlay = RegisterWindowMessage(TEXT("QueryCancelAutoPlay"));

        } 

        if (uMsg && uMsg == g_uQueryCancelAutoPlay)

        { 

            return TRUE;       // cancel auto-play

        }

    }

}

If your application is using a dialog box and needs to respond to a "QueryCancelAutoPlay" message, it cannot simply return TRUE or FALSE. Instead, call SetWindowLong with nIndex set to DWL_MSGRESULT. Set the dwNewLong parameter to TRUE to cancel AutoRun, and FALSE to enable it. For example, the following sample dialog box procedure cancels AutoRun when it receives a "QueryCancelAutoPlay" message.

UINT g_uQueryCancelAutoPlay = 0;

BOOL DialogProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 

{ 

    switch (uMsg) 

    { 

    ...

    default: 

        if (!g_uQueryCancelAutoPlay)

        {

            g_uQueryCancelAutoPlay = RegisterWindowMessage(TEXT("QueryCancelAutoPlay"));

        } 

        if (uMsg == g_uQueryCancelAutoPlay) 

        {

            SetWindowLong(hDlg, DWL_MSGRESULT, TRUE);          

            return 1;               

        }

    } 

}

Using the Registry to Disable AutoRun

There are two registry values that can be used to persistently disable AutoRun: NoDriveAutoRun and NoDriveTypeAutoRun. The first value disables AutoRun for specified drive letters and the second disables AutoRun for a class of drives. If either of these values is set to disable AutoRun for a particular device, it will be disabled.

The NoDriveAutoRun value disables AutoRun for specified drive letters. It is a REG_DWORD data value, found under the following key:

· HK

· HKEY_CURRENT_USER - Software - Microsoft - Windows - CurrentVersion - Policies - Explorer

The first bit of the value corresponds to drive A:, the second to B:, and so on. To disable AutoRun for one or more drive letters, set the corresponding bits. For example, to disable the A: and C: drives, set NoDriveAutoRun to 0x00000005.

The NoDriveTypeAutoRun value disables AutoRun for a class of drives. It is a REG_DWORD or 4-byte REG_BINARY data value, found under the same key.· H HKEY_CURRENT_USER - Software - Microsoft - Windows - CurrentVersion - Policies - Explorer

By setting the bits of this value's first byte, different drives can be excluded from working with AutoRun.

The following table gives the bits and bitmask constants, that can be set in the first byte of NoDriveTypeAutoRun to disable AutoRun for a particular drive type. For Microsoft Windows NT and later systems, you must restart Windows Explorer before the changes take effect.

Bit Number	Bitmask Constant	Description
0x04	DRIVE_REMOVEABLE	Disk can be removed from drive (such as a floppy disk).
0x08	DRIVE_FIXED	Disk cannot be removed from drive (a hard disk).
0x10	DRIVE_REMOTE	Network drive.
0x20	DRIVE_CDROM	CD-ROM drive.
0x40	DRIVE_RAMDISK	RAM disk.

AutoRun for Other Types of Storage Media

AutoRun is primarily intended for public distribution of applications on CD-ROM and DVD-ROM. However, it is often useful to enable AutoRun on other types of removable storage media. This feature is typically used simplify the debugging of AutoRun.inf files. AutoRun only works on removable storage devices when the following criteria are met:

• The device must have AutoRun-compatible drivers. To be AutoRun-compatible, a driver must notify the system that a disk has been inserted by sending a WM_DEVICECHANGE message.
• The root directory of the inserted media must contain an Autorun.inf file.
• The device must not have AutoRun disabled through the registry.
• The foreground application has not suppressed AutoRun.

Normally, AutoRun starts automatically, but it can also be started manually. If the device meets the criteria listed above, the drive letter's shortcut menu will include an AutoPlay command. To run AutoRun manually, either right-click the drive icon and select AutoPlay from the shortcut menu or double-click the drive icon. If the drivers are not AutoRun-compatible, the shortcut menu will not have an AutoPlay item and AutoRun cannot be started.

AutoRun-compatible drivers are provided with some floppy disk drives, as well as some other types of removable media such as CompactFlash cards. AutoRun also works with network drives that are mapped to a drive letter with Windows Explorer or mounted with the Microsoft Management Console (MMC). As with mounted hardware, a mounted network drive must have an Autorun.inf file in its root directory, and must not be disabled through the registry.