Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:WORM_NETSKY.AC, W32/Netsky-AC, Win32.Netsky.AC
Size:18,432 Bytes/ 36,864 Bytes 
Damage:Sent by email 
VDF Version: 

DistributionIt spreads by email, using its own SMTP engine.

Technical DetailsThe worm has 2 components: .CPL file and .EXE file. When the .CPL file is run, the worm is copied in %WinDIR%\comp.cpl, the .exe file is copied in %WinDIR%\wserver.exe and run. After starting WSERVER.EXE, the worm checks for another active task. It copies itself in %WinDIR%\wserver.exe and makes the following registry entry, to be run by the next system start:


The following registry entries will be deleted:




The worm searches on drives C to Z, except for the CD-ROM drive, and collects e-mail addresses from all files with the extension:
- .eml
- .txt
- .php
- .cfg
- .mbx
- .mdx
- .asp
- .wab
- .doc
- .vbs
- .rtf
- .uin
- .shtm
- .cgi
- .dhtm
- .adb
- .tbb
- .dbx
- .pl
- .htm
- .html
- .sht
- .oft
- .msg
- .ods
- .stm
- .xls
- .jsp
- .wsh
- .xml
- .mht
- .mmf
- .nch
- .ppt

The worm ignores the e-mail addresses named:

- icrosoft
- antivi
- ymantec
- spam
- avp
- f-secur
- itdefender
- orman
- cafee
- aspersky
- f-pro
- orton
- fbi
- abuse
- messagelabs
- skynet
- andasoftwa
- freeav
- sophos
- antivir
- iruslis

It tries to use the DNS server to obtain the IP address of the e-mail server. For example, when the e-mail address is, it tries to obtain the IP address of the server If it fails, it tries to use one of the following DNS servers:

It uses its own SMTP engine to send itself to and to all e-mail addresses it found on the infected system. The mail has the following characteristics:


From: (one of the following)


Dear user of %email.server%,
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new %random.Virus.Name% worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
.special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at %from.address%.
Note that we do not accept html email messages.


%randomname1% is a Variable. It can have the following names:

- NetSky.AB
- Sasser.B
- Beagle.AB
- Mydoom.F
- MSBlast.B

%randomname2% is a decimal number between 0 and 32767.
for example: Attachment Fix_Beagle.AB_12345.cpl
Description inserted by Crony Walker on Sunday, March 20, 2005

Back . . . .