Method of Infection
When run, the .cpl file copies itself to
%Windows%\comp.cpl
It then decrypts and drops the main part of the worm to
%Windows%\wserver.exe
Finally, it executes wserver.exe. This part of the worm acts much like previous Netsky variants.
It first copies itself to %Windows%\wserver.exe, even though this has already been done by the .cpl file. It then modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wserver = "%Windows%\wserver.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
It creates a mutex called "SkyNet-Sasser", to ensure only one copy of the worm runs at a time.
Back to top
Method of Distribution
Via E-mail
Netsky.AC sends itself through e-mail using its own SMTP engine. It spoofs the 'From' address of the message to appear to come from an anti-virus company's support address.
In order to collect e-mail addresses to send itself to, the worm searches through drives c: to z: (except cd-rom drives), in files with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
The worm discards e-mail addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
The messages generated by Netsky.AC vary a little. The 'From' address is chosen from the following:
support@symantec.com
support@nai.com
support@norman.com
support@sophos.com
The message subject is always "Escalation". The body reads as follows:
Dear user of <recipient domain>,
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new <virus name> worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at <spoofed from address>.
Note that we do not accept html email messages.
<signature>
Attach: <attachment name>
The attachment name takes the following form:
Fix_<virus name>_<random number>.cpl
<virus name> is one of the following:
NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B
<signature> is chosen from this list, to match the spoofed from address:
Norton AntiVirus Research Team
MCAfee AntiVirus Research Team
Norman AntiVirus Research Team
Sophos AntiVirus Research Team
<random number> is a number between 0 and 32767.
Example attachment names:
Fix_NetSky.AB_13514.cpl
Fix_Sasser.B_29680.cpl
Fix_Mydoom.F_36.cpl
Please see below for examples of e-mail generated by the worm:
Back to top