W32/Sage-A

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

Windows 95/98/Me

Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.

If Sophos Anti-Virus is not already installed on the computer either use the DOS version from the DOS folder on the Sophos CD, or download it. Copy the files into a C:\Sophtemp directory on your computer.

Restart the computer in DOS mode

• On Windows 95/98 go to the Start menu and select Shut Down. Choose the option 'Restart the computer in DOS mode'.


• On Windows Me create a startup disk and boot from that. Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the 'Startup Disk' tab and click the 'Create Disk' button. When you have created the startup disk, write-protect it and boot from it. Remove the floppy disk from the A: drive.

Insert the floppy disk with the IDE files into the A: drive.

If you have a full Sophos Anti-Virus installation type

CD C:\PROGRA~1\SOPHOS~1

(alternatively CD C:\PROGRA~1\SOPHOS~2). Type DIR *.TXT to check that the file READ95.TXT is listed (if it is not, try the alternative directory).

If you are using the Sophtemp directory type

CD C:\SOPHTEMP

To delete the worm files type

SWEEP C: -REMOVEF -IDE=A:\ -P=LOGFILE.TXT

the IDE files will be used from the A: drive.

Reboot to Windows.

Renaming the registry editor

• Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.


• Rename the copy of Regedit.exe to Regedit.com.


• At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\winsock ="<System>\svch0st.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\winsock ="<System>\svch0st.exe"

and delete them if they exist.

The worm will have added itself to this HKEY_CLASSES_ROOT entry

HKCR\exefile\shell\open\command\(default) = <System>\svch0st.exe "%1" %*

delete only the path to the worm. Do not delete anything else.

After deleting the text the key should look like this

HKCR\exefile\shell\open\command\(default) = "%1" %*

Close the registry editor.

Editing Win.ini

At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for lines beginning with 'Run=' or 'Load=' and delete any references to the files you removed. Delete only that reference, not any other text.

Reboot your computer.

Windows 2000/XP

Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.

Restart the computer in Safe Mode. Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the top option 'Safe Mode'.

Renaming the registry editor and editing the registry

You will need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it. Rename the copy of Regedit.exe to Regedit.com.

At the taskbar, click Start|Run. Type 'REGEDIT.COM' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\winsock ="<System>\svch0st.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\winsock ="<System>\svch0st.exe"

and delete them if they exist.

The worm will have added itself to this HKEY_CLASSES_ROOT entry

HKCR\exefile\shell\open\command\(default) = <System>\svch0st.exe "%1" %*

delete only the path to the worm. Do not delete anything else.

After deleting the text the key should look like this

HKCR\exefile\shell\open\command\(default) = "%1" %*

Close the registry editor.

Removing the worm with SAV32CLI

Either run SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.

At the infected computer, place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example). Then select Start|Run and type 'Cmd'. At the command prompt which opens type

D:

to access the CD drive. If you are using the Sophos CD, type:

CD WIN32\I386\SAV32CLI

If you are using a SAV32CLI download disk, type:

CD SAV32CLI

Then type:

SAV32CLI -IDEDIR=A:\ -REMOVE -P=C:\LOGFILE.TXT

to remove the worm.

Editing Win.ini

At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for lines beginning with 'Run=' or 'Load=' and delete any references to the files you removed. Delete only that reference, not any other text.

Reboot your computer.

Other platforms

Please read the instructions for removing worms.

W32/Sage-A is a worm that spreads through email attachments. The emails have the following characteristics :

Subject Line: UPDATE
Message Text:
ICQ Pro 2003a beta build 3800 popular pick
-----------------------------------------------
Download Now Free download 3.79MB
More download links
Downloads: 226,715,753
Publisher: ICQ
Date added: March 30, 2003
File size: 3.79MB; Clock this download
License: Free
Minimum requirements: Windows (all)
Uninstaller included?: Yes

------------------------------------------------
Publisher's Description
ICQ Pro 2003a is the latest release of ICQ, the instant-messaging program that lets you communicate with friends and colleagues in real time. To seek out a friend on the ICQ network, simply enter his or her ICQ number, name, nickname, or e-mail address. Once your contact list is set up, you'll be notified when your friends are online so you can chat; send instant messages, files, and URLs; play games; or just hang out.
ICQ Pro 2003a includes ICQphone, a feature that incorporates IP telephony functions into the ICQ program. Users can initiate and participate in PC-to-PC and PC-to-phone calls. In addition, users can also utilize SMS technology, send wireless-pager messages, view up-to-date information on ICQ channels, and integrate ICQ with Outlook.

With the latest version of ICQ, you can move instantly from the Pro to Lite versions just by clicking "Switch to ICQ lite" from the Main menu, and the shared ICQ preferences and password make it easy to move between Lite and Pro versions without losing your settings. Other new features include improved e-mail integration and user interface, enhanced integration with Windows XP, automatic firewall detection, and the new Search Google window which allows you instant access to Google searches through the ICQ interface, plus much more. For a complete list of new features, visit the ICQ New Features page.

Attached file: ICQ2003a.exe

Upon execution, the worm drops a copy of itself as svch0st.exe, and another component as WinSocks.Dll, to the Windows System folder and then removes itself from the current folder.

W32/Sage-a sets the following registry entries so that it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsock
="<System>\svch0st.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winsock
="<System>\svch0st.exe"

In addition, the worm adds the following entry to win.ini to run itself on startup:
run=<System>\svch0st.exe

W32/Sage-A worm also modifies the following registry entry so that it is run whenever an executable is run:

HKCR\exefile\shell\open\command = "<System>\svch0st.exe "%1" %*"

W32/Sage-A opens numerous ports on the local computer and connects to a remote computer. This might provide unauthorised backdoor access from a remote location.

W32/Sage-A runs in the background as a process and performs process stealthing, which makes it difficult to terminate the running process.