Sachiel | |
---|---|
Type | Worm |
Creator | MachineDramon |
Date Discovered | 13-JUN-2002 |
Place of Origin | Peru |
Source Language | Visual Basic |
Platform | Microsoft Windows |
File Types | .bat, .dll, .exe, .pif, .scr |
Infection Length | 45,056 bytes |
Reported Costs |
Sachiel is a worm that spreads through floppy drives. It deletes some Windows utilities and displays misleading messages.
Behavior
When Sachiel is executed, it displays a message saying "Error: El Archivo esta parcial o totalmente dañado imposible abrir el archivo" (Error: The file is partially or totally damaged, it is impossible to open the file). It copies itself to the Windows folder as Sachiel.sys.bat and the system folder as Helpdks.dll and Winrun.sys.pif and sets these files' attributes to hidden. It will copy itself to the floppy drive as one of the following:
Sachiel's message |
- Marittsa.jpg.scr
- 3rimpact.bat
- VidaMia.jpg.scr
- Informes.txt.pif
- Ovnis45.jpg.scr
It searches all folders except for the root folder for the presence of files with the extensions .gif, .htm, and .html. When it finds them, it makes a copy of itself in that file's directory with the file's name and an added .pif extension. For example, if it finds cutekittens.gif in My Pictures, then that folder will also contain a new file named cutekittens.gif.pif. It performs a similar action with .jpg and .jpeg files, but adds an .scr extension. It also deletes .pwl files (files Windows 9x systems used to store usernames and passwords) in all folders except for the root of the drive.
Sachiel's Icons. The fake image file of Sachiel.A is most common. |
To ensure the worm runs whenever the computer is started, it adds the values "Thsys = %windir%\help\Sachiel.sys.bat" and "Mmsystem = %system%\winrun.sys.pif" values to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. To ensure the worm runs whenever the computer is started on a Windows 9x system, it adds modifies the file win.ini with the line "run=%system%\winrun.sys.pifs". It also adds the value Soundir to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.
Payload
In addition to the message it displays, it has a payload that deletes files associated with certain utilities that might be used to remove the worm or inhibit its spread. In the Windows directory it deletes Regedit.exe and in the System directory, it deletes Regedit.exe, Msconfig.exe, Sfc.exe.exe, and Sysedit.exe
Variants
Sachiel has several variants that behave mostly similarly to the original.
RconR
RconR's image |
Sachiel.Rconr, aka Rrc or Sachiel.E is a 16,384 byte long worm discovered on the 22nd of August in 2003. It poses as a .jpg file, though it is actually a screensaver (.scr), and displays an image of three women with a button link with the text "Visit Web". The pictures are from two popular Peruvian television shows. If the user clicks on this button, it downloads the worms Sachiel (original) and Gaguiel from the web pages http://www.gratisweb.com/machinedramon/sachiel.jpg.scr and http://www.gratisweb.com/machinedramon/gaghiel.html, both of which were taken down by the host for abuse.
RconR copies itself as rconr.com and 1000oficios.dll to the system folder. To ensure it runs when the system reboots, it adds the value "RconR = c:\windows\system\rconr.com" to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices. It stays active in memory and looks for the presence of a floppy disk in drive A:. If it finds one, it copies itself as CatherineCaballero.jpg.scr, GeraldineSalmon.jpg.scr, LauraHuarcayo.jpg.scr, or PatriciaWong.jpg.scr
It contains the following text in its code (not displayed at any point):
W32/RconR.worm by MachineDramon/GEDZAC
Este pequeño programa esta dedicado a todos
quienes participan en RconR y 1000oficios,
2 de los pocos buenos programas que hay hoy
en la Tv. Hecho en el Perú, Calidad Mundial.
Sachiel2015@latinmail.com
Translation:
W32/RconR.worm by MachineDramon/GEDZAC
This small program is dedicated to everyone
those who participate in RconR and 1000oficios,
2 of the few good programs out there today
On TV. Made in Peru, World Quality.
Sachiel2015@latinmail.com
Origin
Sachiel was coded in 2002 in Visual Basic. Strings contained in the original worm indicate it was compiled with a Spanish-language version of VB6. MachineDramon, retired member of the still-active Spanish-language GEDZAC zine and group, published a worm by the name "W32.Sachiel.c" and some variants contain his signature. He is likely the author of the original version. Gaghiel, also known as Gaggle and a worm created by MachineDramon, attempts to download this worm.
Effects
More than 50 Sachiel infections were found across 10 sites.
Sources
Yana Liu. Symantec Security Response, W32.Sachiel. 09-MAY-2003
GEZDAC, Viruses Page.
VSAntivirus, W32/Rrc.B. Se propaga en disquetes, simula ser un JPG. 26-AUG-2003
-, "VBS/Gaggle.D. Asunto: "Advertencia de Envio Spam"" 28-APR-2003