nikki 0 Posted October 20, 2020 Share Posted October 20, 2020 Hi, I get this msg "Threat found" on my updated windows 8.1 and it is blocking TightVNC and other applications. If i click "Delete" is it going to remove "tvnserver.exe" which is an executable of TightVNC? What is the meaning of Operating memory >> tvnserver.exe ? The files are in ProgramFiles->Tight VNC ->tvnserver.exe , but anyone explain why it shows operating memory? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,708 Posted October 20, 2020 Administrators Share Posted October 20, 2020 Since Sality is a file infecting virus and it was detected also in memory, I'd recommend running a full disk scan with ESET SysRescue first. Link to comment Share on other sites More sharing options...
itman 1,541 Posted October 20, 2020 Share Posted October 20, 2020 (edited) What the alert says me is the malware was detected in tvnserver.exe after it was loaded into memory. This could be for example, a maliciously .dll was injected/loaded into the process, a thread hooked to a malicious process, etc.. At this point, it is hard to determine if tvserver.exe itself is infected. You could submit to VirusTotal for static scanning detection. If nothing found there, submit it to Hybrid-Analysis for a dynamic sandbox analysis. Edited October 20, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,541 Posted October 20, 2020 Share Posted October 20, 2020 (edited) Microsoft has a technical description of Sality: Quote Threat behavior Installation Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names: <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code <system folder> \wmdrtc32.dl_- this is a compressed copy of the virus code Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below. Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU. We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FSality Note what I underlined; Sality can inject its .dll directly into the memory of a process; i.e. fileless malware. Edited October 20, 2020 by itman Link to comment Share on other sites More sharing options...
nikki 0 Posted October 21, 2020 Author Share Posted October 21, 2020 Thank you @itman & @Marcos !! Link to comment Share on other sites More sharing options...
Recommended Posts