Type Worm
Creator MachineDramon
Date Discovered 13-JUN-2002
Place of Origin Peru
Source Language Visual Basic
Platform Microsoft Windows
File Types .bat, .dll, .exe, .pif, .scr
Infection Length 45,056 bytes
Reported Costs

Sachiel is a worm that spreads through floppy drives. It deletes some Windows utilities and displays misleading messages.


When Sachiel is executed, it displays a message saying "Error: El Archivo esta parcial o totalmente dañado imposible abrir el archivo" (Error: The file is partially or totally damaged, it is impossible to open the file). It copies itself to the Windows folder as Sachiel.sys.bat and the system folder as Helpdks.dll and Winrun.sys.pif and sets these files' attributes to hidden. It will copy itself to the floppy drive as one of the following:

Sachiel's message
  • Marittsa.jpg.scr
  • 3rimpact.bat
  • VidaMia.jpg.scr
  • Informes.txt.pif
  • Ovnis45.jpg.scr

It searches all folders except for the root folder for the presence of files with the extensions .gif, .htm, and .html. When it finds them, it makes a copy of itself in that file's directory with the file's name and an added .pif extension. For example, if it finds cutekittens.gif in My Pictures, then that folder will also contain a new file named cutekittens.gif.pif. It performs a similar action with .jpg and .jpeg files, but adds an .scr extension. It also deletes .pwl files (files Windows 9x systems used to store usernames and passwords) in all folders except for the root of the drive.

Sachiel's Icons. The fake image file of Sachiel.A is most common.

To ensure the worm runs whenever the computer is started, it adds the values "Thsys = %windir%\help\Sachiel.sys.bat" and "Mmsystem = %system%\winrun.sys.pif" values to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. To ensure the worm runs whenever the computer is started on a Windows 9x system, it adds modifies the file win.ini with the line "run=%system%\winrun.sys.pifs". It also adds the value Soundir to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.


In addition to the message it displays, it has a payload that deletes files associated with certain utilities that might be used to remove the worm or inhibit its spread. In the Windows directory it deletes Regedit.exe and in the System directory, it deletes Regedit.exe, Msconfig.exe, Sfc.exe.exe, and Sysedit.exe


Sachiel has several variants that behave mostly similarly to the original.


RconR's image

Sachiel.Rconr, aka Rrc or Sachiel.E is a 16,384 byte long worm discovered on the 22nd of August in 2003. It poses as a .jpg file, though it is actually a screensaver (.scr), and displays an image of three women with a button link with the text "Visit Web". The pictures are from two popular Peruvian television shows. If the user clicks on this button, it downloads the worms Sachiel (original) and Gaguiel from the web pages and, both of which were taken down by the host for abuse.

RconR copies itself as and 1000oficios.dll to the system folder. To ensure it runs when the system reboots, it adds the value "RconR = c:\windows\system\" to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices. It stays active in memory and looks for the presence of a floppy disk in drive A:. If it finds one, it copies itself as CatherineCaballero.jpg.scr, GeraldineSalmon.jpg.scr, LauraHuarcayo.jpg.scr, or PatriciaWong.jpg.scr

It contains the following text in its code (not displayed at any point):

W32/RconR.worm by MachineDramon/GEDZAC
Este pequeño programa esta dedicado a todos
quienes participan en RconR y 1000oficios,
2 de los pocos buenos programas que hay hoy
en la Tv. Hecho en el Perú, Calidad Mundial.


W32/RconR.worm by MachineDramon/GEDZAC
This small program is dedicated to everyone
those who participate in RconR and 1000oficios,
2 of the few good programs out there today
On TV. Made in Peru, World Quality.


Sachiel was coded in 2002 in Visual Basic. Strings contained in the original worm indicate it was compiled with a Spanish-language version of VB6. MachineDramon, retired member of the still-active Spanish-language GEDZAC zine and group, published a worm by the name "W32.Sachiel.c" and some variants contain his signature. He is likely the author of the original version. Gaghiel, also known as Gaggle and a worm created by MachineDramon, attempts to download this worm.


More than 50 Sachiel infections were found across 10 sites.


Yana Liu. Symantec Security Response, W32.Sachiel. 09-MAY-2003

GEZDAC, Viruses Page.

VSAntivirus, W32/Rrc.B. Se propaga en disquetes, simula ser un JPG. 26-AUG-2003

-, "VBS/Gaggle.D. Asunto: "Advertencia de Envio Spam"" 28-APR-2003

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License