VBS/Sarachi is a script virus written in Visual Basic Script. It uses Microsoft VM ActiveX Control (MS00-075) vulnerability to execute itself.
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
When an infected HTML file is opened, the virus uses the Microsoft VM ActiveX Control (MS00-075) to execute itself. It locates the Windows Active Desktop template directory and replaces the file "FOLDER.HTT" with an infected copy.
The virus will also make a copy of itself to the root of drive it was executed from as "FOLDER.HTT" and changes the system configuration from registry in a way that thisfile is executed every time when user browses a directory when the Windows' Active Desktop feature is enabled.
This virus contains a payload that activates on September 26th. On this date, the virus shuts down Windows when user closes a directory in an infected system provided that the Active Directory feature is enabled.
Further information about the Microsoft VM ActiveX Control (MS00-75) vulnerability is available at: