Aliases: TR/Agent.CQL, Worm/W32.Sachy.A, Worm.Win32.Sachy.A
Variants: Worm.W32.Sachy.A, Worm/Win32.Sachy.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 May 2007
Damage: Medium

Characteristics: W32/Sachy.A is a worm that propagates through network shares. It can also download potentially malicious files on to the compromised computer. This worm affects Windows Operating System platforms such as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP.

More details about W32.Sachy.A

Once the W32.Sachy.A program is executed, it creates files on the system folder. These files include drivers\GO.bat, drivers\ftpdata.sys, drivers\VistA.bat, ShellExt\run.reg, ShellExt\run.reg, and ShellExt\smss.exe. It then connects to an FTP server on the 135.fm 260.com domain and downloads file like ShellExt\csrss.exe (this is a copy of Trojan.Galapoper.A), ShellExt\yes.bat, and wmi.vbs on System folder. It has also the ability to delete files on your system folder such as ftpdata.sys, drivers\VistA.bat and run.reg. The worm then scans for networked computers with open TCP port 135. If any are found, the worm tries to log into the computer as the Administrator, using a blank password. If successful, it will attempt to remotely launch a command prompt using Windows Management Instrumentation.

The W32.Sachy.A program may also be instructed to perform other functions. It can change the system settings to disable certain features such as System Restore, Task Manager and firewalls. The user’s files may also be stolen. Programs may be launched, installed or deleted the following: The application can enter the system via drive-by-download. It may also be bundled with advertising and spying software.