Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

September 15th, 2010

Accurate file names

It is always nice when we know what a file does, where it comes from, etc. Most of the time spent on deeper file (samples) analysis goes to uncovering this information. But, sometimes we don’t have to try when everything is obvious like in this case:

fp submission

Sality is a file infector, quite “popular” in the last few years and here it seems to reside under a direct download link. Let’s visit the site:

nicely announced

Just one click can lead you to the link mentioned in the fp submission. The road to hell is straight and broad :-). What’s interesting here is the “nomen omen” of the binary – it’s called destroy.exe as shown above. So there was a hidden warning in fact and we should definitely take this attribute into account next time and skip doing our own analysis in order to save some time :-D. Do you want to destroy your data? Go ahead and run destroy.exe, that’s a WYSIWYG as far as I can tell. Last but not least – how does a cross-section of AV engines deal with this infection? avast! performs far above the industry average when it comes to detecting the downloaded setup file before it is unpacked. Or is it that my perspective is reversed? Maybe the others are just performing below the avast! average. :-)

scan of the downloaded setup file

scan of unpacked destroy.exe

Categories: analyses, Virus Lab Tags: , ,
  • scythe944

    “Maybe the others are just performing below the avast! average.”

    Sounds a bit better to me.

    I’m glad Avast can see within the executable before it has actually been extracted / ran.

    Now gimme 5.1 for my business users!

  • Mario Vilas

    My portuguese is sketchy to say the least :) but I think the “destroy” keyword is just a coincidence – the program is advertised as a cheat for an online game called Ragnarok Online. The cheat’s name is Destroy Ragnarok Online (DestroyRO).

    So it’s no wonder it shows up in the file properties!

  • Michal Krejdl

    @Mario Vilas
    Of course, it’s a coincidence ;-). But we have fun when we come across such specific coicidence, it makes our work more cheerful. And it doesn’t change a fact that the Sality virus is available under direct link on a legitimate site.

  • Brandon

    You definitely need a good sense of humor to be in this business!

  • Alexia Rudolf

    Recently my system was also infected with win32.sality which was very annoying to remove till i used avast. It removed it properly. thanks

  • yanto chiang

    Hi Michal,

    Nice to share this blog, especially in details analysis.
    But sometimes, some AV also can’t detection as fast as others includes avast antivirus (Sorry, i am not offense in this case but just want to share there’s no perfect in this world).

    Again, this is nice article.

  • user


    I contacted and pointed them to this blog post.
    5 minutes later that account was suspended. Great support :D

    If you try to visit you see only “Account suspended”.

  • Carlos Heitor Lain

    Fui informado deste caso e suspendi o cliente, ele me pediu 48 horas para retirar o malware. O meu cliente foi liberado e o cliente terá 48 horas para retirar o malware.
    Carlos Heitor Lain

  • Carlos Heitor Lain

    I was informed of this case and postponed the client, he asked me 48 hours to remove the malware. My client has been released and the customer will have 48 hours to remove the malware.
    Carlos Heitor Lain

  • Neo

    @Mario Vilas

    I think anyone that needs to download a cheat for gaming deserves to get a virus LOL.

    In regards to Avast, I haven’t used/found anything better…it’s never let me down and Free Edition protects better than a lot of “full” security that you’d pay £40+ for…A lot of “big named” AV should be ashamed about what they charge for what little protection they provide…AVAST RULES!

  • Pingback: One hundred and thirty million users | Avast: Keeping it safe