Type IRC worm
Creator Gigabyte
Date Discovered 1999
Place of Origin Mechelen, Belgium
Source Language Visual Basic 5
Platform Microsoft Windows
File Types .exe
Infection Length 45,056 bytes

Sahara is an early IRC worm by Gigabyte. It was one of her early attempts and given she removed it from her site some time in 2001, she was not proud of it. It overwrites files with copies of itself and attacks antivirus software.


When executed, it may display a message box with the text "You are infected with Sahara (written by Gigabyte).. are you gonna cry now?". It copies itself to the Windows system folder as GB.EXE It overwrites executable files in the Windows folder and its subfolders. It also tries to delete files from C:\Program Files\AntiViral Toolkit Pro\ (Kaspersky Antivirus). It will drop the file start into C:\<Windows>\Start Menu\Programs\StartUp\, which ensures the message box will run when the system restarts.

The Sahara Message

It overwrites the file SCRIPT.INI in C:\mirc to send itself to connected IRC channels.
Upon rebooting, the system may display the message "This program cannot be run in DOS mode." It will allow the user to log in but the system may be too damaged to allow the user to go further.


There is at least one variant that weighs in at 9,728 bytes. In our tests, it does not display any message and goes straight to overwriting files and trying to spread over IRC.


Sahara was coded some time before 2001 by Gigabyte in Mechelen, Belgium. She made the sources unavailable because they were early attempts and "they suck". Stressout, Entice, and Gum were similarly made unavailable. This makes a few details about the worm difficult to determine, but text strings indicate it was written in Visual Basic 5 some time in 1999.

The Sahara Icon


Gigabyte's Projects.

Sophos Antivirus, W32/Sahara-A.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License