Virus Sality mempunyai ciri sebagai berikut:
1. Menonaktifkan pilihan "Super Hidden" di Folder Options.
2. Menginfeksi file EXE dengan penambahan size +/- 40 Kb.
3. Menghalangi instalasi antivirus tertentu, mendisable Registry Editor dan Task Manager.
4. Nilai CRC32 berbeda-beda (mirip teknik virus Rodriguez buatan Spanyol)
5. Menambahkan file [nama acak].sys di Windows\system32\drivers.
6. Mengeset registry sbb:
- Menambah key/value berikut ini:
HKLM\SYSTEM\CurrentControlSet\Services\abp470n5
HKCU\Software\[nama komputer + 3 nomor acak]
- Mengubah key/value berikut ini:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\St andardProfile\Author izedApplications\List\"<infected filename>" = "<infected filename>:*:Enabled:ipsec"
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Setting\GlobalUserOffline = 0
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 2
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTo ols = dword:00000001
- Menghapus key/value berikut ini:
HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
7. Menambahkan string berikut ke file system.ini:
[MCIDRV_VER]
DEVICEMB=[nomor acak]
8. Mencoba download malware lain dari situs berikut:
89.119.67.154
bjerm.mass.hc.ru
klkjwre77638dfqwieuoi888.info
kukutrustnet777.info
kukutrustnet777888.info
kukutrustnet888.info
kukutrustnet987.info
lpbmx.ru
mattfoll.eu.interia.pl
st1.dist.su.lt
[You must be registered and logged in to see this link.]9. Menghapus file dengan ekstensi berikut:
.VDB
.AVC