W32.Savix


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 18 Sep 2008
Damage: Low

Characteristics: The W32.Savix program is a worm that propagates through removable media and fixed drives.

More details about W32.Savix

The W32.Savix is a worm that propagates through removable media and fixed drives. Once the worm is opened, the worm propagates by duplicating itself to the source of all drives from C to I as “%DriveLetter%:\.x”. The W32.Savix worm also makes the file “%DriveLetter%:\autorun.inf” in the source of all drives from C to I so that it opens when the drives are opened. The worm also makes and changes registry keys so that it opens each time the Windows starts. The worm shows the following message w/ a math question and then tries to reboot the computer system after 20 seconds: “Wilcome Let Play a Game better than Silk[REMOVED]it.”, “125 * 45 - 50/2 = Here ?”, “else i don't need to Tell you what”, and “will Happened”.

The W32.Savix worm software adds its executable files to the system registry. This allows it to run at system startup. The DLL (Dynamic Link Library) modules are registered as Browser Helper Objects (BHO programs). This gives the malware program access to the web browser’s resources. Security software will consider the program part of a legitimate application. This program opens an unused port to create a backdoor. This is used to connect to a remote server without the user’s consent. Files will be downloaded and saved in the infected computer. These are commonly installers for other unwanted programs.