W32/Netsky-AC {Sophos} in Security

W32/Netsky-AC {Sophos} in Security http://www.dslreports.com/forum/r10135556 en Fri, 04 Dec 2009 06:13:25 EDT Fri, 04 Dec 2009 06:13:25 EDT Re: W32/Netsky-AC {Sophos} http://www.dslreports.com/forum/remark,10160268 Randy Bell : McAfee: W32/Netsky.ac@MM
»us.mcafee.com/virusInfo/default.···k=125016

Computer Associates: Win32.Netsky.AC
»www3.ca.com/threatinfo/virusinfo···ID=39026

F-Secure: NetSky.AC
»www.f-secure.com/v-descs/netskyac.shtml

Panda: Netsky.AC
»www.virusportal.com/com/virusinf···us=46889

VSAntivirus: W32/Netsky.AC. Subject: "Escalation"
{English Transl}: »babelfish.altavista.com/babelfis···y-ac.htm
{Spanish Original}: »www.vsantivirus.com/netsky-ac.htm
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,10160268 Wed, 05 May 2004 15:06:59 EDT Re: W32/Netsky-AC {Sophos} http://www.dslreports.com/forum/remark,10160242 Randy Bell : Sophos has filled in the details in their writeup for this variant:

said by Sophos:
W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder. W32/Netsky-AC sets the following registry entry to ensure it is run on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe

Emails sent by W32/Netsky-AC have the following characteristics:

Subject line:

Escalation

Message text:

Dear user of {harvested domain name}

We have received several abuses:

- Hundreds of infected e-Mails have been sent
from your mail account by the new worm {virus name}
- Spam email has been relayed by the backdoor
that the virus has created

The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.

Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at

support@{anti-virus domain}

Note that we do not accept html email messages.

{anti-virus vendor} AntiVirus Research Team
Attach: Fix_{virus name}_{random number}.cpl

Note:

{anti-virus vendor} is selected from the following:

Sophos
MCAfee
Norman
Norton

{anti-virus domain} is selected from the following:

sophos.com
symantec.com
nai.com
norman.com

{virus name} is selected from the following:

NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B

Attachment Name:

Fix_{virus name}_{random number}.cpl

Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies:

Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...

--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,10160242 Wed, 05 May 2004 15:03:43 EDT Re: W32/Netsky-AC {Sophos} http://www.dslreports.com/forum/remark,10135647 EGeezer : FYI link to »I-Worm.Netsky.ac {KAV}
for continuity
EDIT - note that all have NETSKY.AC in their name, but the descriptions are substantially different. Nothing like more naming confusion. ]]> http://www.dslreports.com/forum/remark,10135647 Sun, 02 May 2004 22:28:08 EDT Re: W32/Netsky-AC {Sophos} http://www.dslreports.com/forum/remark,10135607 Randy Bell : Trend: WORM_NETSKY.AC
»www.trendmicro.com/vinfo/virusen···ETSKY.AC
Tech Details: »www.trendmicro.com/vinfo/virusen···&VSect=T

quote:
Upon execution, this NETSKY variant drops the following files in the Windows folder:

•CCOMP.CPL – a copy of itself
•WSERVER.EXE – its memory-resident component

It creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Wserver = "%Windows%\wserver.exe"

(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

{See above link for tech details including email message bodies, attachments}
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,10135607 Sun, 02 May 2004 22:23:46 EDT W32/Netsky-AC {Sophos} http://www.dslreports.com/forum/remark,10135556 Randy Bell : I did a Search and I believe this one is new .. has not been posted yet. There was an I-Worm.Netsky.AC {KAV} posted but upon further examination {of the discovery date and infection details} it appears to have been the same as the W32/Netsky-AB {Sophos} posted earlier .. so this seems to be a new one:

Sophos: W32/Netsky-AC
»www.sophos.com/virusinfo/analyse···yac.html

quote:
Detection:
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section .. {{~snipped~}} ..

Sophos has received many reports of this worm from the wild.

Description
W32/Netsky-AC is a mass mailing worm. A detailed description will be published here shortly.

--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,10135556 Sun, 02 May 2004 22:18:00 EDT