Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
WORM_NETSKY.AC, W32/Netsky-AC, Win32.Netsky.AC
18,432 Bytes/ 36,864 Bytes
Sent by email
It spreads by email, using its own SMTP engine.
The worm has 2 components: .CPL file and .EXE file. When the .CPL file is run, the worm is copied in %WinDIR%\comp.cpl, the .exe file is copied in %WinDIR%\wserver.exe and run. After starting WSERVER.EXE, the worm checks for another active task. It copies itself in %WinDIR%\wserver.exe and makes the following registry entry, to be run by the next system start:
The following registry entries will be deleted:
The worm searches on drives C to Z, except for the CD-ROM drive, and collects e-mail addresses from all files with the extension:
The worm ignores the e-mail addresses named:
It tries to use the DNS server to obtain the IP address of the e-mail server. For example, when the e-mail address is firstname.lastname@example.org, it tries to obtain the IP address of the server hostname.com. If it fails, it tries to use one of the following DNS servers:
It uses its own SMTP engine to send itself to email@example.com and to all e-mail addresses it found on the infected system. The mail has the following characteristics:
From: (one of the following)
Dear user of %email.server%,
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new %random.Virus.Name% worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
.special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at %from.address%.
Note that we do not accept html email messages.
%randomname1% is a Variable. It can have the following names:
%randomname2% is a decimal number between 0 and 32767.
for example: Attachment Fix_Beagle.AB_12345.cpl
Description inserted by Crony Walker on Sunday, March 20, 2005