W32/Savage.A is a mass mailing worm. The worm will infect Windows systems. The worm spreads through email and P2P softwares.

The subject of the infected mail will be any one of the following;

The message contains Unicode characters and has been sent as a binary attachment.
Your credit card was charged for $500 USD. For additional information see the attachment
Are you a spammer? (I found your email on a spammer website!?!)
Binary message is available.
Can you confirm it?
Delivered message is attached.
Bad Gateway: The message has been attached.
Encrypted message is available.
ESMTP [Secure Mail System #334]: Secure message is attached.
Mail transaction failed. Partial message is available.
am shocked about your document!
You have visited illegal websites. I have a big list of the websites you surfed.
Do not visit these sites!!!
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
You think it's funny? You are stupid idiot!!! I'll send the attachment to your ISP and then I'll be watching how you will go to jail, punk!!!

The body of the infected mail will be any one of the following;

Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM

New terms and conditions for credit card holders
Herea new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in theWorld Wide Web.
Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved

Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center

Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
p 2004 Networks Associates Technology, Inc. All RightsReserved

The infected email carries the following attachment;

tmp.zip

The infected attachment will contain lsasrv.exe file. This file may also contain any one the following as the second extension.

scr, exe, pif or bat.

Upon execution of the infected attachment, the worm copies itself as lsasrv.exe in the Windows System folder.

It also drops the following files in the Windows System folder.

iexplor.dll
shlapiw.dll
version.ini
upd.ini

The worm modifies registry at the following location to load itself during each startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This worm tries to terminate some of the malware programs running in the infected system.

It also blocks access to some of the security related website.

To propogate itself, the worm gathers email address from the Windows Address Book of the infected system.

The worm attempts to locate SMTP server by appending the following prefixes to the domain names collected from the infected system. On successful SMTP server access it mails itself to the produced email addresses.

smtp.
gate.
mx.
mx1.
mxs.
mail1.
ns.
relay.
mail.

This worm also propagates using P2P programs by searching the shared folder of the of iMesh, Kazaa and Morpheus. If it finds the shared folder it drops a copy of itself to the shared folder.

This worm first appeared on August 31, 2005.

 Other names of W32/Savage.A Worm:

This Worm is also known as WORM_SAVAGE.A.