Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.AC@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 01 May 2004 03:00:00
Description created 02 May 2004 10:58:00
Description updated 02 May 2004 10:58:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Netsky.AC@mm

Spreading

When the worm is executed, it will copy the main worm component to the %WINDOWS% folder using the name WSERVER.EXE. A file called COMP.CPL will also be created; this is the email component of the worm. It creates a mutex called "SkyNet-Sasser" to avoid being run twice.
Registry keys created by the worm:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun wserver=%WINDIR%wserver.exe
Registry keys deleted by the worm:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun  ssgrate.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRun drvsys.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Drvdll_exe
The mails sent by this worm will appears to be security warnings coming from different AV vendors:
Sophos AntiVirus Research Team (support@sophos.com)
Lumension AntiVirus Research Team (support@norman.com)
MCAfee AntiVirus Research Team (support@nai.com)
Norton AntiVirus Research Team (support@symantec.com)
The fixes are supposedly removing one of the worms below:
MSBlast.B
Mydoom.F
Bagle.AB
Sasser.B
NetSky.AB
Note that AV companies of course do not send fixes out in this fashion.
Mails may look like this:
Dear user of %user domain%,We have received several abuses:
- Hundreds of infected e-Mails have been sent from your mail account by the new Bagle.AB worm
- Spam email has been relayed by the backdoor that the virus has created

The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users.
Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at support@norman.com.
Note that we do not accept html email messages.
 
Lumension AntiVirus Research Team
Attach: Fix_Bagle.AB_32072.cpl


We have received several abuses:
- Hundreds of infected e-Mails have been sent from your mail account by the new Bagle.AB worm
- Spam email has been relayed by the backdoor that the virus has created

The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users.
Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at support@norman.com.
Note that we do not accept html email messages.
 
Lumension AntiVirus Research Team
Attach: Fix_Bagle.AB_32072.cpl

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12