WORM_NETSKY.AC - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_NETSKY.AC

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.NetSky.ad (Kaspersky), W32/Netsky.ac@MM (McAfee), W32.Netsky.AC@mm (Symantec), Worm/Netsky.AC.Drp (Avira), W32/Netsky-AC (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This memory-resident worm propagates using its own Simple Mail Transfer Protocol (SMTP) engine. It obtains target email addresses from files with certain extension names, which it searches in drives C to Z (except for CD-ROM drives).

The email it sends may have the following details:

From: (any of the following)
support@<BLOCKED>i.com
support@no<BLOCKED>an.com
support@so<BLOCKED>os.com
support@s<BLOCKED>antec.com

Subject: Escalation

Message body:
Dear user of <domain>

We have received several abuses:

- Hundreds of infected e-Mails have been sent
from your mail account by the new <random malware> worm
- Spam email has been relayed by the backdoor
that the virus has created

The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.

Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at <random email>.
Note that we do not accept html email messages.

<random vendor> AntiVirus Research Team
Attach: Fix_<random malware>_<random number>.cpl

Attachment:
Fix_<random malware>_<random number>.cpl

(Note: <domain> is the domain of the target email adress. <random malware> can be WORM_MSBLAST.B, WORM_MYDOOM.F, WORM_BAGLE.AB, WORM_SASSER.B, or WORM_NETSKY.AB. <random vendor> can be MCAfee, Norman, Norton, or Sophos. <random number> can be any 5-digit number combination.)

Below is a sample email message that this worm sends:

This is a sample email it sends out.

It drops COMP.CPL and WSERVER.EXE files in the Windows folder upon execution. It also deletes certain registry entries which WORM_BAGLE variants use.

This malware runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 2, 2004 2:17:57 PM GMT -0800
Description updated: May. 3, 2004 8:57:41 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.