F-Secure Virus Descriptions : NetSky.AC
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | NetSky.AC |
| ALIAS: | I-Worm.NetSky.ad, W32/NetSky.AC@mm |
NetSky.AC worm was found on May 3rd, 2004. Nearly 95% of the code
in NetSky.AB is present in NetSky.AC.
The worm's file is a packed PE executable 36864 bytes long.
Installation to system
Upon execution NetSky.AC copies itself as 'wserver.exe' file to
Windows folder and adds a startup key for this file into System
Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wserver" = "%WinDir%\wserver.exe"
where %WinDir% represents Windows folder name.
And created a mutex name "SkyNet-Sasser" ro ensure only one instance of the
worm is running.
Email spreading
The worm scans all hard drives from C: to Z: to harvest e-mail
addresses. The worm looks for e-mail addresses in files with the
following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
Netsky.AC worm ignores e-mail addresses that contain any of the
following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
The worm composes different e-mail message. The sender of the message will
appear to be any of the following:
support@sophos.com
support@norman.com
support@nai.com
support@symantec.com
The subject is fixed, always containing the text:
Escalation
The body will look like:
Dear user of (name)
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new (Virus name) worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm is spreading
rapidly around the world now and it is a serios new threat that
hits users.
Due to this, we are providing you to remove the infection on your
computer and to stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
(Anti-Virus Vendor e-mail)
Note that we do not accept html email messages.
(Anti-Virus Team)
(Virus name) can be any of the following:
NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B
(Anti-Virus Vendor e-mail) any of:
support@sophos.com
support@norman.com
support@nai.com
support@symantec.com
And (Anti-Virus Team) any of:
Sophos AntiVirus Research Team
Norman AntiVirus Research Team
MCAfee AntiVirus Research Team
Norton AntiVirus Research Team
Netsky.AC attaches its executable file to e-mails that it sends
out. The attachment name has the following format:
Fix_(Virus name)_(number).cpl
where (number) will be a decimal number not greater then 32767.
Detection of NetSky.AC worm was published on May 3rd, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-05-03_01
Technical Details:
Ero Carrera, May 4th, 2004;
F-Secure Corporation
|
