| Sahara | |
|---|---|
| Type | IRC worm |
| Creator | Gigabyte |
| Date Discovered | 1999 |
| Place of Origin | Mechelen, Belgium |
| Source Language | Visual Basic 5 |
| Platform | Microsoft Windows |
| File Types | .exe |
| Infection Length | 45,056 bytes |
Sahara is an early IRC worm by Gigabyte. It was one of her early attempts and given she removed it from her site some time in 2001, she was not proud of it. It overwrites files with copies of itself and attacks antivirus software.
Behavior
When executed, it may display a message box with the text "You are infected with Sahara (written by Gigabyte).. are you gonna cry now?". It copies itself to the Windows system folder as GB.EXE It overwrites executable files in the Windows folder and its subfolders. It also tries to delete files from C:\Program Files\AntiViral Toolkit Pro\ (Kaspersky Antivirus). It will drop the file start into C:\<Windows>\Start Menu\Programs\StartUp\, which ensures the message box will run when the system restarts.
 |
|
| The Sahara Message |
It overwrites the file SCRIPT.INI in C:\mirc to send itself to connected IRC channels.
Upon rebooting, the system may display the message "This program cannot be run in DOS mode." It will allow the user to log in but the system may be too damaged to allow the user to go further.
Variants
There is at least one variant that weighs in at 9,728 bytes. In our tests, it does not display any message and goes straight to overwriting files and trying to spread over IRC.
 |
|
| The Sahara Icon |
Origin
Sahara was coded some time before 2001 by Gigabyte in Mechelen, Belgium. She made the sources unavailable because they were early attempts and "they suck". Stressout, Entice, and Gum were similarly made unavailable. This makes a few details about the worm difficult to determine, but text strings indicate it was written in Visual Basic 5 some time in 1999.
Sources
Sophos Antivirus, W32/Sahara-A.