BackDoor.Agent.DWC, Backdoor.Agent.hiv, BDS/Agent.abj.5, Trojan.AVKiller.M
W32/BackdoorX.QCO, Win32/VMalum.NBH infection., Worm:Win32/Savego.A
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
13 Dec 2006
W32/Sagevo is a worm that propagates by exploiting Symantec AntiVirus Elevation of Privilege and Symantec Client Security and (this is described in Symantec Advisory SYM06-010). The worm lowers security settings and can download other threats. This worm affects Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP Operating System platforms.
W32.Sagevo Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Sagevo from your computer.
More details about W32.Sagevo
W32/Sagevo attempts to exploit a current addressed vulnerability in Symantec AntiVirus Elevation of Privilege and Symantec Client Security, SYM06-010; patches for the specific Symantec product vulnerability have been accessible. As a result, consumers who have applied the patch in their system are not affected by the worm's attempt to influence the Symantec vulnerability for attacks. Consumers using Symantec intrusion prevention (IPS) capable products or Symantec Client Security are protected against all known and unknown exploits of the SYM06-010 via IPS signatures. Once W32.Sagevo is executed, it copies itself as wins\svchost.exe in the system folder and attempts to spread using Symantec Client Security and Symantec AntiVirus Elevation of Privilege. It creates 512 threads and tries to connect to IP addresses on TCP port 2967. The worm will get the IP address of the compromised computer, generates an Internet Protocol address, and tries to infect the PC with that address.
More than one copy of the W32.Sagevo application may be placed in the system. This is done so the software can repair itself if other components are deleted. The main file is commonly an executable file. This is added to the startup registry entry. It then loads a DLL (Dynamic Library Link) module. This is registered as a component of the Internet Explorer program. This gives the application access to the Internet. It will also be exempted from system scans and firewalls.