Worm:W32/NetSky.AC

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

NetSky.AC, I-Worm.NetSky.ad, W32/NetSky.AC@mm

Summary

NetSky.AC worm was found on May 3rd, 2004. Nearly 95% of the code in NetSky.AB is present in NetSky.AC.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's file is a packed PE executable 36864 bytes long.

Installation to system

Upon execution NetSky.AC copies itself as 'wserver.exe' file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wserver" = "%WinDir%\wserver.exe"

where %WinDir% represents Windows folder name.

And created a mutex name "SkyNet-Sasser" ro ensure only one instance of the worm is running.

Email Spreading

The worm scans all hard drives from C: to Z: to harvest email addresses. The worm looks for email addresses in files with the following extensions:

.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

Netsky.AC worm ignores email addresses that contain any of the following strings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis

The worm composes different email message. The sender of the message will appear to be any of the following:

support@sophos.com
support@norman.com
support@nai.com
support@symantec.com

The subject is fixed, always containing the text:

Escalation

The body will look like:

Dear user of (name)
 We have received several abuses:
 - Hundreds of infected emails have been sent

 from your mail account by the new (Virus name) worm
 - Spam email has been relayed by the backdoor

 that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm is spreading
rapidly around the world now and it is a serios new threat that
hits users.
Due to this, we are providing you to remove the infection on your
computer and to stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
(Anti-Virus Vendor email)
Note that we do not accept html email messages.
(Anti-Virus Team)

(Virus name) can be any of the following:

NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B

(Anti-Virus Vendor email) any of:

support@sophos.com
support@norman.com
support@nai.com
support@symantec.com

And (Anti-Virus Team) any of:

Sophos AntiVirus Research Team
Norman AntiVirus Research Team
MCAfee AntiVirus Research Team
Norton AntiVirus Research Team

Netsky.AC attaches its executable file to emails that it sends out. The attachment name has the following format:

Fix_(Virus name)_(number).cpl

where (number) will be a decimal number not greater then 32767.