W32/Sachiel.worm.gen, Win32.Worm.Sachiel.A, Win32/Sachiel.H
Win32:Sachiel [Wrm], Worm/Generic.A.13, Worm/VB.2.BF
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
14 Jun 2002
W32/Sachiel is a virus that attempts to propagate itself via floppy disk drive. The virus is compressed with UPX and is written in Microsoft Visual Basic programming language. The size of the virus is approximately 45 kilobytes after it is decompressed. Operating System platforms affected by this virus are Windows 2000, Windows 98, Windows 95, Windows Me, Windows XP and Windows NT.
W32.Sachiel Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Sachiel from your computer.
More details about W32.Sachiel
Once W32.Sachiel runs, it displays an error dialogue box and copies itself as Helpdks.dll in windows installation folder, Sachiel.sys.bat, and Winrun.sys.pif in the system folder. These files are set as hidden file. The worm attempts to copy itself to the floppy disk as Ovnis45.jpg.scr, VidaMia.jpg.scr, 3rimpact.bat, or Marittsa.jpg.scr. After this, it searches for files with the.htm, .gif, .html extension in all folders of all the drives, except for the root folders. If the virus searches for a file, it creates a copy of itself making use of the same filename and extension of .pif. It also searches for files with the .jpeg or .jpg extension in all the folders of all the drives, except for the root folders. If the virus finds a file, it makes a copy of itself using the same filename and an extra extension of .scr. It adds values to the registry key so that the virus runs each time you start Windows and modifies the win.ini file so that the virus runs when you start Windows 95/98/Me.
The W32.Sachiel software can reportedly turn the system into a proxy server. It can receive Internet requests from the remote server. These will then be forwarded to specific locations. Any replies are routed through the infected computer then forwarded to the originating server. Proxy servers are often used to hide illicit activities. The infected computer may be used to mask spam or DoS (Denial of Service) attacks. If these attacks are traced, only the IP address of the proxy server is detected. The originating server may not be identified.