high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 3 May 2004 01:11:15 (GMT) |
| Last updated | 3 May 2004 10:41:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder.
Emails sent by W32/Netsky-AC have the following characteristics:
Subject line:
Escalation
Message text:
Dear user of <harvested domain name>
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new worm <virus name>
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
support@<anti-virus domain>
Note that we do not accept html email messages.
<anti-virus vendor> AntiVirus Research Team
Attach: Fix_<virus name>_<random number>.cpl
Note:
<anti-virus vendor> is selected from the following:
Sophos
MCAfee
Norman
Norton
<anti-virus domain> is selected from the following:
sophos.com
symantec.com
nai.com
norman.com
<virus name> is selected from the following:
NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B
Attachment Name:
Fix_<virus name>_<random number>.cpl
Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies:
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet... W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder.
W32/Netsky-AC sets the following registry entry to ensure it is run on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe
Emails sent by W32/Netsky-AC have the following characteristics:
Subject line:
Escalation
Message text:
Dear user of <harvested domain name>
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new worm <virus name>
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
support@<anti-virus domain>
Note that we do not accept html email messages.
<anti-virus vendor> AntiVirus Research Team
Attach: Fix_<virus name>_<random number>.cpl
Note:
<anti-virus vendor> is selected from the following:
Sophos
MCAfee
Norman
Norton
<anti-virus domain> is selected from the following:
sophos.com
symantec.com
nai.com
norman.com
<virus name> is selected from the following:
NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B
Attachment Name:
Fix_<virus name>_<random number>.cpl
Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies:
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...
|
