W32/Netsky-AC

Discussion in 'malware problems & news' started by Marianna, May 3, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Type
    Win32 worm

    Description
    W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder. W32/Netsky-AC sets the following registry entry to ensure it is run on user logon:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    wserver = wserver.exe

    Emails sent by W32/Netsky-AC have the following characteristics:

    Subject line:

    Escalation

    Message text:

    Dear user of <harvested domain name>

    We have received several abuses:

    - Hundreds of infected e-Mails have been sent
    from your mail account by the new worm <virus name>
    - Spam email has been relayed by the backdoor
    that the virus has created

    The malicious file uses your mail account to distribute
    itself. The backdoor that the worm opens allows remote attackers
    to gain the control of your computer. This new worm
    is spreading rapidly around the world now
    and it is a serios new threat that hits users.

    Due to this, we are providing you to remove the
    infection on your computer and to
    stop the spreading of the malware with a
    special desinfection tool attached to this mail.

    If you have problems with the virus removal file,
    please contact our support team at

    support@<anti-virus domain>

    Note that we do not accept html email messages.

    <anti-virus vendor> AntiVirus Research Team
    Attach: Fix_<virus name>_<random number>.cpl

    Note:

    <anti-virus vendor> is selected from the following:

    Sophos
    MCAfee
    Norman
    Norton

    <anti-virus domain> is selected from the following:

    sophos.com
    symantec.com
    nai.com
    norman.com

    <virus name> is selected from the following:

    NetSky.AB
    Sasser.B
    Bagle.AB
    Mydoom.F
    MSBlast.B

    Attachment Name:

    Fix_<virus name>_<random number>.cpl

    Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies:

    Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...

    http://www.sophos.com/virusinfo/analyses/w32netskyac.html
     
Thread Status:
Not open for further replies.