W32/Netsky-AC

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe

and delete it if it exists.

Close the registry editor.

W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder.

Emails sent by W32/Netsky-AC have the following characteristics:

Subject line:

Escalation

Message text:

Dear user of <harvested domain name>

We have received several abuses:

- Hundreds of infected e-Mails have been sent
from your mail account by the new worm <virus name>
- Spam email has been relayed by the backdoor
that the virus has created

The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now
and it is a serios new threat that hits users.

Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at

support@<anti-virus domain>

Note that we do not accept html email messages.

<anti-virus vendor> AntiVirus Research Team
Attach: Fix_<virus name>_<random number>.cpl

Note:

<anti-virus vendor> is selected from the following:

Sophos
MCAfee
Norman
Norton

<anti-virus domain> is selected from the following:

sophos.com
symantec.com
nai.com
norman.com

<virus name> is selected from the following:

NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B

Attachment Name:

Fix_<virus name>_<random number>.cpl

Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies:

Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet... W32/Netsky-AC is a mass mailing worm. The worm copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder.

W32/Netsky-AC sets the following registry entry to ensure it is run on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe

Emails sent by W32/Netsky-AC have the following characteristics:

Subject line:

Escalation

Message text:

Dear user of <harvested domain name>

We have received several abuses:

- Hundreds of infected e-Mails have been sent
from your mail account by the new worm <virus name>
- Spam email has been relayed by the backdoor
that the virus has created

The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.

Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at

support@<anti-virus domain>

Note that we do not accept html email messages.

<anti-virus vendor> AntiVirus Research Team
Attach: Fix_<virus name>_<random number>.cpl

Note:

<anti-virus vendor> is selected from the following:

Sophos
MCAfee
Norman
Norton

<anti-virus domain> is selected from the following:

sophos.com
symantec.com
nai.com
norman.com

<virus name> is selected from the following:

NetSky.AB
Sasser.B
Bagle.AB
Mydoom.F
MSBlast.B

Attachment Name:

Fix_<virus name>_<random number>.cpl

Sophos researchers have also discovered that hidden inside the code of Netsky-AC is the following text, directed towards anti-virus companies:

Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...