WORM_SAVAGE.A is a non-destructive, memory-resident worm that propagates via email and through peer-to-peer (P2P) networks. It spreads via email by sending copies of itself with the file name TMP.ZIP to target addresses. It gathers target recipients from an affected system's Windows Address Book (WAB). This worm is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, 2000, XP, and Server 2003. This worm also propagates by dropping a copy of itself in accessible network shares, enabling other users to download this worm. However, on systems using the P2P applications, LimeWire and eDonkey2000, this worm drops its copy in locations specific to these applications. This worm utilizes a common social engineering technique to avoid early detection. It uses file names that usually pertain to legitimate software, such as Nero and winamp5. Thus, this worm tricks users into thinking that it is a harmless file, possibly affecting its prolonged presence on the system. It modifies the affected system's HOSTS file by appending a list of URLs, which are related to antivirus and security applications, to the said file. It directs the said URLs to the local machine, preventing the user from accessing the listed Web sites. This worm has backdoor capabilities that connect to a remote Web site, where it awaits for commands from a remote malicious user, such as the downloading of files that may be malicious. It then executes the said commands locally, therefore compromising the machine's security. This worm also carries a malware retaliation routine, particularly against NETSKY, BLASTER, MYDOOM, BAGLE, and SOBIG variants. It removes the corresponding registry entries of the said variants if found on the system. If you would like to scan your computer for WORM_SAVAGE.A, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/. WORM_SAVAGE.A is detected and cleaned by Trend Micro pattern file #2.813.00 and above.