NetSky.AC worm was found on May 3rd, 2004. Nearly 95% of the code in NetSky.AB is present in NetSky.AC.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm's file is a packed PE executable 36864 bytes long.
Upon execution NetSky.AC copies itself as 'wserver.exe' file to Windows folder and adds a startup key for this file into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "wserver" = "%WinDir%\wserver.exe"
where %WinDir% represents Windows folder name.
And created a mutex name "SkyNet-Sasser" ro ensure only one instance of the worm is running.
The worm scans all hard drives from C: to Z: to harvest email addresses. The worm looks for email addresses in files with the following extensions:
.eml .txt .php .cfg .mbx .mdx .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb .dbx .pl .htm .html .sht .oft .msg .ods .stm .xls .jsp .wsh .xml .mht .mmf .nch .ppt
Netsky.AC worm ignores email addresses that contain any of the following strings:
icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abuse messagelabs skynet andasoftwa freeav sophos antivir iruslis
The worm composes different email message. The sender of the message will appear to be any of the following:
support@sophos.com support@norman.com support@nai.com support@symantec.com
The subject is fixed, always containing the text:
Escalation
The body will look like:
Dear user of (name) We have received several abuses: - Hundreds of infected emails have been sent from your mail account by the new (Virus name) worm - Spam email has been relayed by the backdoor that the virus has created The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users. Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a special desinfection tool attached to this mail. If you have problems with the virus removal file, please contact our support team at (Anti-Virus Vendor email) Note that we do not accept html email messages. (Anti-Virus Team)
(Virus name) can be any of the following:
NetSky.AB Sasser.B Bagle.AB Mydoom.F MSBlast.B
(Anti-Virus Vendor email) any of:
support@sophos.com support@norman.com support@nai.com support@symantec.com
And (Anti-Virus Team) any of:
Sophos AntiVirus Research Team Norman AntiVirus Research Team MCAfee AntiVirus Research Team Norton AntiVirus Research Team
Netsky.AC attaches its executable file to emails that it sends out. The attachment name has the following format:
Fix_(Virus name)_(number).cpl
where (number) will be a decimal number not greater then 32767.