Threat Description: Sarachi.A<style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/common.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/layout.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/nav.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/search.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/content-index.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/form_table.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/content-cart.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/roundBox.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/nb_layout.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/nb_home_layout.css";</style> <style type="text/css" media="screen,projection">@import "http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/resources/css/_ui/css/nb_roundBox.css";</style>     <script type="text/javascript" src="/system/modules/com.fsecure.web2.frontend/resources/js/main.js"></script> </meta> </head> <body> <div id="page"> <ol id="accessibility-nav"> <li><a href="#nav">Skip to navigation</a></li> <li><a href="#content">Skip to content</a></li> <li><a href="#aside">Skip to secondary-content</a></li> </ol> <hr />  <span class="page-l"></span> <span class="page-r"></span> <span class="page-t"></span> <span class="page-b"></span> <div id="header"> <span class="lt"></span> <span class="rt"></span> <a href="http://www.f-secure.com/en/web/labs_global/" class="logo" rel="home" title="Go to homepage">F-Secure</a> <div id="site-options"> <div id="tools"> <h3>Tools</h3>  <div class="content"> <form class="location" action="#"> <fieldset> <h4>Choose Location:</h4> <select name="location" onchange="top.location.href=this.options[this.selectedIndex].value"> <option value="http://www.f-secure.com/en/web/corporation_global/home">Corporation - English</option> <option value="http://www.f-secure.com/fi/web/corporation_fi">Corporation - Finnish</option> <option value="http://www.f-secure.com/en/web/labs_global/" selected="Selected">Labs</option> <option disabled="disabled">------------</option> <option value="http://www.f-secure.com/en_AU/">Australia</option> <option value="http://www.f-secure.com/nl_BE/">Belgium - Dutch</option> <option value="http://www.f-secure.com/fr_BE/">Belgium - French</option> <option value="http://www.f-secure.com.br">Brazil</option> <option value="http://www.f-secure.com/da_DK/">Denmark</option> <option value="http://www.f-secure.ee">Estonia</option> <option value="http://www.f-secure.com/fi_FI/">Finland</option> <option value="http://www.f-secure.com/fr_FR/">France</option> <option value="http://www.f-secure.com/de_DE/">Germany</option> <option value="http://www.f-secure.com/en/web/labs_global/">Global</option> <option value="http://www.f-secure.gr">Greece</option> <option value="http://www.f-secure.com/en_HK/">Hong Kong</option> <option value="http://www.f-secure.com/en_IN/">India</option> <option value="http://www.f-secure.com/it_IT/">Italy</option> <option value="http://www.f-secure.com/ja_JP/">Japan</option> <option value="http://www.f-secure.com/en_MY/">Malaysia</option> <option value="http://www.f-secure.com/nl_NL/">Netherlands</option> <option value="http://www.f-secure.co.nz">New Zealand</option> <option value="http://www.f-secure.com/pl_PL/">Poland</option> <option value="http://www.f-secure.ru">Russia</option> <option value="http://www.f-secure.si">Slovenia</option> <option value="http://www.f-secure.com/sv_SE/">Sweden</option> <option value="http://www.f-secure.com/en_UK/">UK</option> <option value="http://www.f-secure.com/en_US/">USA</option> </select> </fieldset> </form> </div> </div>  <form action="http://www.google.com/cse" method="get" id="search" onsubmit="return validateSearchField(document.forms['search'],document.forms['search'].q);"> <fieldset> <legend>Search</legend> <input type="hidden" name="cx" value="014625612662474666087:2paeijvwemq" /> <input type="hidden" name="ie" value="UTF-8" /> <input type="text" name="q" class="textField" value="Search" onblur="clearDefaultValue(document.forms['search'].q, document.forms['search'].sa);" onfocus="clearDefaultValue(document.forms['search'].q, document.forms['search'].sa);" /> <button type="submit" name="sa">Go</button> </fieldset> </form> <script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en&sitesearch=true"></script> <script src="/system/modules/com.fsecure.frontend.newbrand/resources/js/jquery.min.js" type="text/javascript" charset="utf-8"></script>  </div>  </div> <hr />  <div id="nav"> <div class="inner_nav"> <h3>Navigation</h3> <ul> <li><a href="http://www.f-secure.com/en/web/labs_global/home" ><strong> Labs </strong> <span></span> <span class="b"></span></a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/news" ><strong> News </strong> <span></span> <span class="b"></span></a></li> <li class="active"><a href="http://www.f-secure.com/en/web/labs_global/threats" ><strong> Threats </strong> <span></span> <span class="b"></span></a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/how-to" ><strong> How To </strong> <span></span> <span class="b"></span></a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/submit-samples" ><strong> Submit Samples </strong> <span></span> <span class="b"></span></a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/beta-programs" ><strong> Beta Programs </strong> <span></span> <span class="b"></span></a></li> <li><i><strong> </strong></i></li>  </ul> </div> </div> <hr /> <div id="nav-sub"> <h3>Subnavigation</h3> <ul> <li class="active"><a href="http://www.f-secure.com/en/web/labs_global/threats/descriptions" >Virus and Threat descriptions</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/mobile-security" >Mobile Security</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/vulnerability" >Vulnerability Protection</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/threats/classifications" >Classifications</a></li> </ul> </div> <hr /> <div id="container" class="cart"> <span class="fig_fx"></span> <span class="container-l"></span> <span class="container-lt"></span> <span class="container-rt"></span> <span class="container-r"></span> <span class="container-lb"></span> <span class="container-rb"></span> <span class="container-t"></span> <div class="container-inner"> <div id="products-nav"> <h2>Labs</h2> <ul> <li><a href="http://www.f-secure.com/en/web/labs_global/threats/descriptions"><span>Latest Threats</span></a></li> <li><a href="https://analysis.f-secure.com/portal/login.html"><span>Submit Samples (SAS)</span></a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/removal-tools"><span>Free Tools</span></a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/terminology"><span>Terminology</span></a></li> </ul> </div> <div id="content"> <div class="breadcrumbs"> <h3>Where You Are</h3> <ol> <li> <a href="http://www.f-secure.com/en/web/labs_global/home">Labs</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/threats">Threats</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/threats/descriptions">Virus and threat descriptions</a></li> <li>Sarachi.A</li> </ol> </div> <div id="three_level_main_container"> <h1></h1> </div> <div class="box-small"> <h1>Sarachi.A</h1> <div class="box"> <span class="t"></span> <span class="lt"></span> <span class="rt"></span> <span class="b"></span> <span class="lb"></span> <span class="rb"></span> <span class="l"></span> <span class="r"></span> <div class="box-content"> <div> <TABLE width="100%" border="0"> <TR><TD width="20%"></TD><TD></TD></TR> <TR><TD><b>Alias:</b></TD><TD>Virus.VBS.Saraci</TD></TR> <TR><TD><b><a href="http://www.f-secure.com/en/web/labs_global/threat-categories">Category</a>:</b></TD><TD>Virus</TD></TR> <TR><TD><b><a href="http://www.f-secure.com/en/web/labs_global/threat-platforms">Platform</a>:</b></TD><TD>VBS</TD></TR> </TABLE> </div> </div> </div> <div class="box"> <span class="t"></span> <span class="lt"></span> <span class="rt"></span> <span class="b"></span> <span class="lb"></span> <span class="rb"></span> <span class="l"></span> <span class="r"></span> <div class="box-content"> <h2>Summary</h2> VBS/Sarachi is a script virus written in Visual Basic Script. It uses Microsoft VM ActiveX Control (MS00-075) vulnerability to execute itself. </div> </div> </div> <div class="box"> <span class="t"></span> <span class="lt"></span> <span class="rt"></span> <span class="b"></span> <span class="lb"></span> <span class="rb"></span> <span class="l"></span> <span class="r"></span> <div class="box-content"> <h2>Additional Details</h2> <div> <p>When an infected HTML file is opened, the virus uses the Microsoft VM ActiveX Control (MS00-075) to execute itself. It locates the Windows Active Desktop template directory and replaces the file "FOLDER.HTT" with an infected copy.</p> <p>The virus will also make a copy of itself to the root of drive it was executed from as "FOLDER.HTT" and changes the system configuration from registry in a way that this<br />file is executed every time when user browses a directory when the Windows' Active Desktop feature is enabled.</p> <p>This virus contains a payload that activates on September 26th. On this date, the virus shuts down Windows when user closes a directory in an infected system provided that the Active Directory feature is enabled.<br /> <br />Further information about the Microsoft VM ActiveX Control (MS00-75) vulnerability is available at:</p> <ul> <li><a href="http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx">http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx</a></li> </ul> </div> </div> </div> </div> </div> </div> <div id="footer"> <span class="lb"></span> <span class="rb"></span> <span class="t"></span> <p>© 2009 <a href="http://www.f-secure.com/en/web/labs_global/">F-Secure Corporation</a> <a href="http://www.f-secure.com/en/web/corporation_global/company/brand-and-values" class="tagline">Protecting the irreplaceable</a> </p> <ul> <li><a href="http://www.f-secure.com/en/web/home_global">Antivirus</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/rss-feeds">RSS Feeds</a></li> <li><a href="http://www.f-secure.com/en/web/home_global/home">Products</a></li> <li><a href="http://www.f-secure.com/en/web/labs_global/sitemap">Sitemap</a></li> </ul> </div> <span class="page-l"></span> <span class="page-r"></span> <span class="page-t"></span> <span class="page-b"></span> <span class="page-l"></span> <span class="page-r"></span> <span class="page-t"></span> <span class="page-b"></span>  <script type="text/javascript" src="http://www.f-secure.com/js/s_code.js"></script> <script type="text/javascript"></script> <script type="text/javascript"></script><noscript><div><a href="http://www.omniture.com" title="Web Analytics"><img src="http://fsecure.122.2O7.net/b/ss/fsecure/1/H.24.2--NS/0" height="1" width="1" alt="" /></a></div></noscript>  <script type="text/javascript"> var boxHeights = new Array(); boxHeights[0] = document.getElementById("row1box1").offsetHeight; boxHeights[1] = document.getElementById("row1box2").offsetHeight; var maxValue = getMaxValue(boxHeights); document.getElementById("row1box1").style.height = maxValue + "px"; document.getElementById("row1box2").style.height = maxValue + "px"; var boxHeights = new Array(); boxHeights[0] = document.getElementById("row2box1").offsetHeight; boxHeights[1] = document.getElementById("row2box2").offsetHeight; var maxValue = getMaxValue(boxHeights); document.getElementById("row2box1").style.height = maxValue + "px"; document.getElementById("row2box2").style.height = maxValue + "px"; </script> <script type="text/javascript"></script> </body> </html>