From; Sophos Alert System: Name: W32/Netsky-AC Type: Win32 worm Date: 3 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Sophos has received many reports of this worm from the wild. Information about W32/Netsky-AC can be found at: http://www.sophos.com/virusinfo/analyses/w32netskyac.html Description W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder. W32/Netsky-AC sets the following registry entry to ensure it is run on user logon: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ wserver = wserver.exe Emails sent by W32/Netsky-AC have the following characteristics: Subject line: Escalation Message text: Dear user of <harvested domain name> We have received several abuses: - Hundreds of infected e-Mails have been sent from your mail account by the new worm <virus name> - Spam email has been relayed by the backdoor that the virus has created The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users. Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a special desinfection tool attached to this mail. If you have problems with the virus removal file, please contact our support team at support@<anti-virus domain> Note that we do not accept html email messages. <anti-virus vendor> AntiVirus Research Team Attach: Fix_<virus name>_<random number>.cpl Note: <anti-virus vendor> is selected from the following: Sophos MCAfee Norman Norton <anti-virus domain> is selected from the following: sophos.com symantec.com nai.com norman.com <virus name> is selected from the following: NetSky.AB Sasser.B Bagle.AB Mydoom.F MSBlast.B Attachment Name: Fix_<virus name>_<random number>.cpl Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies: Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet... Recovery Please follow the instructions for removing worms Download the IDE file from: http://www.sophos.com/downloads/ide/netskyac.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member