Recently, we have got samples of new  variant of Sality. Through analyzing these samples, we find some MMX (MultiMedia eXtension) instructions in their metamorphic code which have never been seen in the previous variants.

Sality with MMX instruction

Previous Sality variants only uses pure x86 instructions in their metamorphic code.  Nowadays, x86 code can be emulated by almost antivirus emulators so these variants could be detected without much difficulty. However, the new variant has adopted one more instruction type: MMX instruction. By using MMX instructions, Sality can defeat antivirus emulator which does not support these instructions, and avoid being detected.

Generating MOVD mm, r/m32 instruction

There are few MMX instructions used in this variant . However, judging from the innovation trend of the previous variants, it’s likely that new variants will come up with more complex MMX instructions in the future.

Furthermore, new Sality variant turns its characteristic instructions into some pieces of code which does the same work.


R1 = [R2]

(R1 and R2 are 32bit register, [] indicate the memory addressed by the register in it)

can be turned into:

R1= 0

R1 = R1 xor [R2]


R1 = 0

R1 = R1 or [R2]


R1 = 0

R1 = R1 + [R2]

It is difficult to indicate which instruction is used to decrypt the virus body and which is only junk code, which register contains useful value and which does not. Antivirus programs must work more sophisticatedly to collect enough parameters for decrypting and cleaning virus from infected files.

This variant of Sality is detected by Bkav as W32.SalityVM.PE.

Nguyen Ngoc Dzung

Malware Analyst

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet