The worm's file is a packed PE executable 36864 bytes long.
Installation to system
Upon execution NetSky.AC copies itself as 'wserver.exe' file to Windows folder and adds a startup key for this file into System Registry:
"wserver" = "%WinDir%\wserver.exe"
where %WinDir% represents Windows folder name.
And created a mutex name "SkyNet-Sasser" ro ensure only one instance of the worm is running.
The worm scans all hard drives from C: to Z: to harvest email addresses. The worm looks for email addresses in files with the following extensions:
Netsky.AC worm ignores email addresses that contain any of the following strings:
The worm composes different email message. The sender of the message will appear to be any of the following:
The subject is fixed, always containing the text:
The body will look like:
Dear user of (name)
We have received several abuses:
- Hundreds of infected emails have been sent
from your mail account by the new (Virus name) worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm is spreading
rapidly around the world now and it is a serios new threat that
Due to this, we are providing you to remove the infection on your
computer and to stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
(Anti-Virus Vendor email)
Note that we do not accept html email messages.
(Virus name) can be any of the following:
(Anti-Virus Vendor email) any of:
And (Anti-Virus Team) any of:
Sophos AntiVirus Research Team
Norman AntiVirus Research Team
MCAfee AntiVirus Research Team
Norton AntiVirus Research Team
Netsky.AC attaches its executable file to emails that it sends out. The attachment name has the following format:
where (number) will be a decimal number not greater then 32767.