Aliases: BackDoor.Agent.DWC, Backdoor.Agent.hiv, BDS/Agent.abj.5, Trojan.AVKiller.M
Variants: W32/BackdoorX.QCO, Win32/VMalum.NBH infection., Worm:Win32/Savego.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 13 Dec 2006
Damage: Medium

Characteristics: W32/Sagevo is a worm that propagates by exploiting Symantec AntiVirus Elevation of Privilege and Symantec Client Security and (this is described in Symantec Advisory SYM06-010). The worm lowers security settings and can download other threats. This worm affects Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP Operating System platforms.

More details about W32.Sagevo

W32/Sagevo attempts to exploit a current addressed vulnerability in Symantec AntiVirus Elevation of Privilege and Symantec Client Security, SYM06-010; patches for the specific Symantec product vulnerability have been accessible. As a result, consumers who have applied the patch in their system are not affected by the worm's attempt to influence the Symantec vulnerability for attacks. Consumers using Symantec intrusion prevention (IPS) capable products or Symantec Client Security are protected against all known and unknown exploits of the SYM06-010 via IPS signatures. Once W32.Sagevo is executed, it copies itself as wins\svchost.exe in the system folder and attempts to spread using Symantec Client Security and Symantec AntiVirus Elevation of Privilege. It creates 512 threads and tries to connect to IP addresses on TCP port 2967. The worm will get the IP address of the compromised computer, generates an Internet Protocol address, and tries to infect the PC with that address.

More than one copy of the W32.Sagevo application may be placed in the system. This is done so the software can repair itself if other components are deleted. The main file is commonly an executable file. This is added to the startup registry entry. It then loads a DLL (Dynamic Library Link) module. This is registered as a component of the Internet Explorer program. This gives the application access to the Internet. It will also be exempted from system scans and firewalls.