The researchers used Kaspersky anti-virus to cleanse the banking virus of Sality, and wound up with a pristine version of the banking malware. Since Sality wasn't the primary concern and it was easily removed, SpiderLabs didn't investigate what Sality was up to.
It turns out the cleaned malware couldn't be detected by the anti-virus engines the researchers used, Miller says.
The banking Trojan itself doesn't replicate, so when it was removed, the host machine was clean. The ongoing work is making sure that the means by which it got there in the first place - some form of targeted attack - is shut down, Miller says.
Possibilities include that the Trojan was placed there by someone with unrestricted administrative access via a remote desktop platform or by an insider with physical access to the management system. "That's generally how they get on there," he says.
Read more about wide area network in Network World's Wide Area Network section.