Threat Description

NetSky.AC

Details

Aliases:NetSky.AC, I-Worm.NetSky.ad, W32/NetSky.AC@mm
Category:Malware
Type:Email-Worm
Platform:W32

Summary



NetSky.AC worm was found on May 3rd, 2004. Nearly 95% of the code in NetSky.AB is present in NetSky.AC.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm's file is a packed PE executable 36864 bytes long.

Installation to system

Upon execution NetSky.AC copies itself as 'wserver.exe' file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "wserver" = "%WinDir%\wserver.exe"

where %WinDir% represents Windows folder name.

And created a mutex name "SkyNet-Sasser" ro ensure only one instance of the worm is running.

Email Spreading

The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:

.eml
 .txt
 .php
 .cfg
 .mbx
 .mdx
 .asp
 .wab
 .doc
 .vbs
 .rtf
 .uin
 .shtm
 .cgi
 .dhtm
 .adb
 .tbb
 .dbx
 .pl
 .htm
 .html
 .sht
 .oft
 .msg
 .ods
 .stm
 .xls
 .jsp
 .wsh
 .xml
 .mht
 .mmf
 .nch
 .ppt

Netsky.AC worm ignores e-mail addresses that contain any of the following strings:

icrosoft
 antivi
 ymantec
 spam
 avp
 f-secur
 itdefender
 orman
 cafee
 aspersky
 f-pro
 orton
 fbi
 abuse
 messagelabs
 skynet
 andasoftwa
 freeav
 sophos
 antivir
 iruslis

The worm composes different e-mail message. The sender of the message will appear to be any of the following:

support@sophos.com
 support@norman.com
 support@nai.com
 support@symantec.com

The subject is fixed, always containing the text:

Escalation

The body will look like:

Dear user of (name)
  We have received several abuses:
  - Hundreds of infected e-Mails have been sent
 from your mail account by the new (Virus name) worm
  - Spam email has been relayed by the backdoor
 that the virus has created
 The malicious file uses your mail account to distribute
 itself. The backdoor that the worm opens allows remote attackers
 to gain the control of your computer. This new worm is spreading
 rapidly around the world now and it is a serios new threat that
 hits users.
 Due to this, we are providing you to remove the infection on your
 computer and to stop the spreading of the malware with a
 special desinfection tool attached to this mail.
 If you have problems with the virus removal file,
 please contact our support team at
 (Anti-Virus Vendor e-mail)
 Note that we do not accept html email messages.
 (Anti-Virus Team)

(Virus name) can be any of the following:

NetSky.AB
 Sasser.B
 Bagle.AB
 Mydoom.F
 MSBlast.B

(Anti-Virus Vendor e-mail) any of:

support@sophos.com
 support@norman.com
 support@nai.com
 support@symantec.com

And (Anti-Virus Team) any of:

Sophos AntiVirus Research Team
 Norman AntiVirus Research Team
 MCAfee AntiVirus Research Team
 Norton AntiVirus Research Team

Netsky.AC attaches its executable file to e-mails that it sends out. The attachment name has the following format:

Fix_(Virus name)_(number).cpl

where (number) will be a decimal number not greater then 32767.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More