Threat Description

Sarachi.A

Details

Aliases: Sarachi.A, Virus.VBS.Saraci
Category: Malware
Type: Virus
Platform: VBS

Summary



VBS/Sarachi is a script virus written in Visual Basic Script. It uses Microsoft VM ActiveX Control (MS00-075) vulnerability to execute itself.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When an infected HTML file is opened, the virus uses the Microsoft VM ActiveX Control (MS00-075) to execute itself. It locates the Windows Active Desktop template directory and replaces the file "FOLDER.HTT" with an infected copy.

The virus will also make a copy of itself to the root of drive it was executed from as "FOLDER.HTT" and changes the system configuration from registry in a way that thisfile is executed every time when user browses a directory when the Windows' Active Desktop feature is enabled.

This virus contains a payload that activates on September 26th. On this date, the virus shuts down Windows when user closes a directory in an infected system provided that the Active Directory feature is enabled.

Further information about the Microsoft VM ActiveX Control (MS00-75) vulnerability is available at:






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More