Aliases: W32/Sachiel.worm.gen, Win32.Worm.Sachiel.A, Win32/Sachiel.H
Variants: Win32:Sachiel [Wrm], Worm/Generic.A.13, Worm/VB.2.BF

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 14 Jun 2002
Damage: Low

Characteristics: W32/Sachiel is a virus that attempts to propagate itself via floppy disk drive. The virus is compressed with UPX and is written in Microsoft Visual Basic programming language. The size of the virus is approximately 45 kilobytes after it is decompressed. Operating System platforms affected by this virus are Windows 2000, Windows 98, Windows 95, Windows Me, Windows XP and Windows NT.

More details about W32.Sachiel

Once W32.Sachiel runs, it displays an error dialogue box and copies itself as Helpdks.dll in windows installation folder, Sachiel.sys.bat, and Winrun.sys.pif in the system folder. These files are set as hidden file. The worm attempts to copy itself to the floppy disk as Ovnis45.jpg.scr, VidaMia.jpg.scr, 3rimpact.bat, or Marittsa.jpg.scr. After this, it searches for files with the.htm, .gif, .html extension in all folders of all the drives, except for the root folders. If the virus searches for a file, it creates a copy of itself making use of the same filename and extension of .pif. It also searches for files with the .jpeg or .jpg extension in all the folders of all the drives, except for the root folders. If the virus finds a file, it makes a copy of itself using the same filename and an extra extension of .scr. It adds values to the registry key so that the virus runs each time you start Windows and modifies the win.ini file so that the virus runs when you start Windows 95/98/Me.

The W32.Sachiel software can reportedly turn the system into a proxy server. It can receive Internet requests from the remote server. These will then be forwarded to specific locations. Any replies are routed through the infected computer then forwarded to the originating server. Proxy servers are often used to hide illicit activities. The infected computer may be used to mask spam or DoS (Denial of Service) attacks. If these attacks are traced, only the IP address of the proxy server is detected. The originating server may not be identified.