Jump to content

Threat Removal

nikki

By nikki
in Malware Finding and Cleaning

 Share

Recommended Posts

nikki

nikki 0

Posted
Posted

Hi, 

I get this msg "Threat found" on my updated windows 8.1 and it is blocking TightVNC and other applications. If i click "Delete" is it going to remove "tvnserver.exe" which is an executable of TightVNC? What is the meaning of Operating memory >> tvnserver.exe ? The files are in ProgramFiles->Tight VNC ->tvnserver.exe , but anyone explain why it shows operating memory?

WhatsApp Image 2020-10-20 at 11.34.32 AM.png

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

Since Sality is a file infecting virus and it was detected also in memory, I'd recommend running a full disk scan with ESET SysRescue first.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

What the alert says me is the malware was detected in tvnserver.exe after it was loaded into memory. This could be for example, a maliciously .dll was injected/loaded into the process, a thread hooked to a malicious process, etc.. 

At this point, it is hard to determine if tvserver.exe itself is infected. You could submit to VirusTotal for static scanning detection. If nothing found there, submit it to Hybrid-Analysis for a dynamic sandbox analysis.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Microsoft has a technical description of Sality:

Quote

Threat behavior

Installation

Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names:

  • <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
  • <system folder> \wmdrtc32.dl_- this is a compressed copy of the virus code

Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.

Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.

We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FSality

Note what I underlined; Sality can inject its .dll directly into the memory of a process; i.e. fileless malware.

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...