FRISK Software International


Summary of W32/Savage.D@mm
Discovered: 16 Sep 2005
Definition files: 16 Sep 2005
Risk Level: Low
Distribution:Low
 
Jump to:
Brief description
Technical description

Brief Description
W32/Savage.D is a mass-mailing worm that harvests e-mail addresses from available hard drives.

When run for the first time it starts notepad and displays the file Me^sa~e#4% in the %TMP% folder. The displayed file seems to be nonsense and its only purpose to make the user think they have opened the worm-containing file in notepad rather than having executed it.

The worm copies itself to %WINDIR%\system32\lsasrv.exe drops files iexplor.dll, shlapiw.dll, version.ini to %WINDIR%\system32 and Me^sa~e#4% to %TMP% folder. Of which iexplor.dll and shlapiw.dll are also malicious

The worm injects its components into Internet Explorer to bypass the firewall.


Technical Description
Savage.D@mm alters registry entries in following way:

Adds key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SSavage]

The worm uses this key as an infection marker.


Adds value:

"lsass"="%WINDIR%\system32\lsasrv.exe"

to the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

This makes sure the worm is run at startup.

Adds value:

"Debugger"=%program path%

to the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

Where %program path% is the full path to the original worm file.
This runs the worm always before Internet Explorer is run.

Alters value:

"Shell"="explorer.exe %WINDIR%\system32\lsasrv.exe"

of the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

This makes sure the worm is run at startup.
NOTE: the default value for this key is "Shell"="Explorer.exe".


E-mail routine:

The worm sends itself as an attachment to an e-mail with the following characteristics:

From address is spoofed with hard-coded addresses and domains.

Subject is one of the following:

Good day

Do not reply to this email

hello

Mail Delivery System

Attention!!!

Mail Transaction Failed

Server Report

Status

Error

Body of the message is one of these:

Mail transaction failed. Partial message is available.


The message contains Unicode characters and has been sent as a binary attachment.


The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.


Do not visit these sites!!!


You have visited illegal websites.
I have a big list of the websites you surfed.


You think it's funny? You are stupid idiot!!! I'll send the attachment to your ISP and then I'll be watching how you will go to jail, punk!!!


Your credit card was charged for $500 USD. For additional information see the attachment


ESMTP [Secure Mail System #334]: Secure message is attached.


Encrypted message is available.


Delivered message is attached.


Can you confirm it?


Binary message is available.


am shocked about your document!


Are you a spammer? (I found your email on a spammer website!?!)


Bad Gateway: The message has been attached.


Attention! New self-spreading virus!

Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.

To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.

p 2004 Networks Associates Technology, Inc. All Rights Reserved


New terms and conditions for credit card holders

Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.

Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved


Thank you for registering at WORLDXXXPASS.COM

All your payment info, login and password you can find in the attachment file.

It's a real good choise to go to WORLDXXXPASS.COM


Attention! Your IP was logged by The Internet Fraud Complaint Center

Your IP was logged by The Internet Fraud Complaint Center.
There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP.
This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.

This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center


Here is your documents you are requested.

Attached is a file named %name%.%ext% where %name% is one of these:

document
readme
doc
rules
file
data
docs
message
body

and %ext% is one of the following:

pif
scr
exe
cmd
bat


Terminates processes containing the strings:

netstat
msblast
zapro
navw32
navapw32
zonealarm
outpost
wincfg32
taskmon
PandaAVEngine
sysinfo
mscvb32
MSBLAST
teekids
Penis32
bbeagle
SysMon
winupd
winsys
ssate
rate
d3dupdate
irun4
i11r54n4

Most of these process names belong to other malware.

Adds following lines to %WINDIR%\system32\drivers\etc\host so that the user is unable to visit some antivirus websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 downloads1.kaspersky.com
127.0.0.1 downloads2.kaspersky.com
127.0.0.1 ftp.downloads1.kaspersky-labs.com
127.0.0.1 ftp.downloads2.kaspersky-labs.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com


Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is