Jump to content

Recommended Posts

Hi, 

I get this msg "Threat found" on my updated windows 8.1 and it is blocking TightVNC and other applications. If i click "Delete" is it going to remove "tvnserver.exe" which is an executable of TightVNC? What is the meaning of Operating memory >> tvnserver.exe ? The files are in ProgramFiles->Tight VNC ->tvnserver.exe , but anyone explain why it shows operating memory?

WhatsApp Image 2020-10-20 at 11.34.32 AM.png

Link to post
Share on other sites
  • Administrators

Since Sality is a file infecting virus and it was detected also in memory, I'd recommend running a full disk scan with ESET SysRescue first.

Link to post
Share on other sites

What the alert says me is the malware was detected in tvnserver.exe after it was loaded into memory. This could be for example, a maliciously .dll was injected/loaded into the process, a thread hooked to a malicious process, etc.. 

At this point, it is hard to determine if tvserver.exe itself is infected. You could submit to VirusTotal for static scanning detection. If nothing found there, submit it to Hybrid-Analysis for a dynamic sandbox analysis.

Edited by itman
Link to post
Share on other sites

Microsoft has a technical description of Sality:

Quote

Threat behavior

Installation

Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names:

  • <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
  • <system folder> \wmdrtc32.dl_- this is a compressed copy of the virus code

Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.

Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.

We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FSality

Note what I underlined; Sality can inject its .dll directly into the memory of a process; i.e. fileless malware.

Edited by itman
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...