TR/Agent.CQL, Worm/W32.Sachy.A, Worm.Win32.Sachy.A
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
25 May 2007
W32/Sachy.A is a worm that propagates through network shares. It can also download potentially malicious files on to the compromised computer. This worm affects Windows Operating System platforms such as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP.
W32.Sachy.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Sachy.A from your computer.
More details about W32.Sachy.A
Once the W32.Sachy.A program is executed, it creates files on the system folder. These files include drivers\GO.bat, drivers\ftpdata.sys, drivers\VistA.bat, ShellExt\run.reg, ShellExt\run.reg, and ShellExt\smss.exe. It then connects to an FTP server on the 135.fm 260.com domain and downloads file like ShellExt\csrss.exe (this is a copy of Trojan.Galapoper.A), ShellExt\yes.bat, and wmi.vbs on System folder. It has also the ability to delete files on your system folder such as ftpdata.sys, drivers\VistA.bat and run.reg. The worm then scans for networked computers with open TCP port 135. If any are found, the worm tries to log into the computer as the Administrator, using a blank password. If successful, it will attempt to remotely launch a command prompt using Windows Management Instrumentation.
The W32.Sachy.A program may also be instructed to perform other functions. It can change the system settings to disable certain features such as System Restore, Task Manager and firewalls. The user’s files may also be stolen. Programs may be launched, installed or deleted the following: The application can enter the system via drive-by-download. It may also be bundled with advertising and spying software.