WORM_SAVAGE.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SAVAGE.A

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Savage.c (Kaspersky), W32/Mytob.gen@MM (McAfee), W32.Netsky.AL@mm (Symantec), Worm/Savage.A (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

Upon initial execution, this memory-resident worm creates the file Me^sa~e#4% in the Windows temporary folder. It executes the said file using Notepad, and displays the following:

{Image is currently unavailable}

It waits for a user to close Notepad, then proceeds to delete the file Me^sa~e#4%. This stealth routine leads users into thinking that this worm has terminated. It, however, continues with its routines.

This worm propagates via email and through peer-to-peer (P2P) networks.

It spreads via email by sending copies of itself with the file name TMP.ZIP to target addresses. It gathers target recipients from an affected system's Windows Address Book (WAB). It may also generate additional email addresses by using certain common names, such as alice, jerry, or robert, appended with a domain name.

For a complete listing of this worm's email details, please click here.

It may also drop a copy of itself in found shared folders, enabling other users to download this worm. However, on systems using the P2P applications, LimeWire and eDonkey2000, this worm drops its copy in locations specific to these applications.

This worm utilizes a common social engineering technique to avoid early detection. It uses file names that usually pertain to legitimate software, such as Nero and winamp5. Thus, this worm tricks users into thinking that it is a harmless file, possibly affecting its prolonged presence on the system.

It modifies the affected system's HOSTS file to by appending a list of URLs, which are related to antivirus and security applications, to the said file. It directs the said URLs to the local machine, preventing the user from accessing the listed Web sites.

It carries a malware retaliation routine, particularly against NETSKY, BLASTER, MYDOOM, BAGLE, and SOBIG variants. It prevents processes of these malware from executing. It also terminates these malware's processes.

Additionally, this worm has backdoor capabilities. It connects to a remote Web site, where it awaits for commands from a remote malicious user, such as the downloading of files that may be malicious. It then executes the said commands locally, therefore compromising the machine's security.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 30, 2005 5:38:16 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.