From prodefence.org
Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to complicate detection from side of AV-scanners.
Driver has such features:
- Processes termination via NtTerminateProcess;
- Blocking access to some AV web-resources via IP Filtering;
- Small size ~ 5 KB.
According analysis, rootkit is targeted to Windows starting NT4 and finishing Vista. It should be said in advance that this rootkit is not a NEW and not contains some features which have modern rootkits or bootkits. Researched version of rootkit has appeared ITW since beginning of 2010.
Rootkit creates device with name: \Device\amsint32\DosDevices\amsint32
and this is signal to infection.