[virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-AC
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Mon, 03 May 2004 20:12:28 -0700
From; Sophos Alert System:
Name: W32/Netsky-AC
Type: Win32 worm
Date: 3 May 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any
of the Sophos small business solutions will be automatically
protected at their next scheduled update.
Sophos has received many reports of this worm from the wild.
Information about W32/Netsky-AC can be found at:
http://www.sophos.com/virusinfo/analyses/w32netskyac.html
Description
W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows
folder as comp.cpl and creates a helper component wserver.exe in the same
folder. W32/Netsky-AC sets the following registry entry to ensure it is run
on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe
Emails sent by W32/Netsky-AC have the following characteristics:
Subject line:
Escalation
Message text:
Dear user of <harvested domain name>
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new worm <virus name>
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
support@<anti-virus domain>
Note that we do not accept html email messages.
<anti-virus vendor> AntiVirus Research Team
Attach: Fix_<virus name>_<random number>.cpl
Note:
<anti-virus vendor> is selected from the following:
Sophos
MCAfee
Norman
Norton
<anti-virus domain> is selected from the following:
sophos.com
symantec.com
nai.com
norman.com
<virus name> is selected from the following:
NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B
Attachment Name:
Fix_<virus name>_<random number>.cpl
Sophos researchers have also discovered that hidden inside the code of
Netsky-AC is the following text, directed towards anti-virus companies:
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah
thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server
code with the one from Skynet.V!!! LooL! We are the Skynet...
Recovery
Please follow the instructions for removing worms
Download the IDE file from:
http://www.sophos.com/downloads/ide/netskyac.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
