Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:WORM_NETSKY.AC, W32/Netsky-AC, Win32.Netsky.AC
Type:Worm 
Size:18,432 Bytes/ 36,864 Bytes 
Origin:unknown 
Date:05-03-2004 
Damage:Sent by email 
VDF Version:6.25.00.60 
Danger:Low 
Distribution:High 

DistributionIt spreads by email, using its own SMTP engine.

Technical DetailsThe worm has 2 components: .CPL file and .EXE file. When the .CPL file is run, the worm is copied in %WinDIR%\comp.cpl, the .exe file is copied in %WinDIR%\wserver.exe and run. After starting WSERVER.EXE, the worm checks for another active task. It copies itself in %WinDIR%\wserver.exe and makes the following registry entry, to be run by the next system start:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"wserver"="%WinDIR%\wserver.exe"

The following registry entries will be deleted:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ssgrate.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"drvsys.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Drvddll_exe"

The worm searches on drives C to Z, except for the CD-ROM drive, and collects e-mail addresses from all files with the extension:
- .eml
- .txt
- .php
- .cfg
- .mbx
- .mdx
- .asp
- .wab
- .doc
- .vbs
- .rtf
- .uin
- .shtm
- .cgi
- .dhtm
- .adb
- .tbb
- .dbx
- .pl
- .htm
- .html
- .sht
- .oft
- .msg
- .ods
- .stm
- .xls
- .jsp
- .wsh
- .xml
- .mht
- .mmf
- .nch
- .ppt

The worm ignores the e-mail addresses named:

- icrosoft
- antivi
- ymantec
- spam
- avp
- f-secur
- itdefender
- orman
- cafee
- aspersky
- f-pro
- orton
- fbi
- abuse
- messagelabs
- skynet
- andasoftwa
- freeav
- sophos
- antivir
- iruslis

It tries to use the DNS server to obtain the IP address of the e-mail server. For example, when the e-mail address is someone@hostname.com, it tries to obtain the IP address of the server hostname.com. If it fails, it tries to use one of the following DNS servers:
- 212.44.160.8
- 195.185.185.195
- 151.189.13.35
- 213.191.74.19
- 193.189.244.205
- 145.253.2.171
- 193.141.40.42
- 193.193.144.12
- 217.5.97.137
- 195.20.224.234
- 194.25.2.130
- 194.25.2.129
- 212.185.252.136
- 212.185.253.70
- 212.185.252.73
- 62.155.255.16
- 194.25.2.134
- 194.25.2.133
- 194.25.2.132
- 194.25.2.131
- 193.193.158.10
- 212.7.128.165
- 212.7.128.162

It uses its own SMTP engine to send itself to gghjj@yahoo.com and to all e-mail addresses it found on the infected system. The mail has the following characteristics:

Subject:
Escalation

From: (one of the following)

- support@symantec.com
- support@nai.com
- support@norman.com
- support@sophos.com

Message:
Dear user of %email.server%,
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new %random.Virus.Name% worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
.special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at %from.address%.
Note that we do not accept html email messages.

%randomname%


Attachment:
Fix_%randomname1%_%randomname2%.cpl
%randomname1% is a Variable. It can have the following names:

- NetSky.AB
- Sasser.B
- Beagle.AB
- Mydoom.F
- MSBlast.B

%randomname2% is a decimal number between 0 and 32767.
for example: Attachment Fix_Beagle.AB_12345.cpl
Description inserted by Crony Walker on Sunday, March 20, 2005

Back . . . .