Security vendors Monday also issued an alert for W32/Netsky-AC, a mass mailing worm that copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder.
W32/Netsky-AC sets the following registry entry to ensure it is run on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wserver = wserver.exe
Emails sent by W32/Netsky-AC have the following characteristics:
Subject line: Escalation
More information is atSophos page.
Trend Micro also issued an alert for Worm_Netsky.AC, and reports that this memory-resident worm propagates using its own Simple Mail Transfer Protocol (SMTP) engine. It obtains target email addresses from files with certain extension names, which it searches in drives C to Z (except for CD-ROM drives).
The email it sends may have the following details:
From: (any of the following)
support@i.com
support@noan.com
support@soos.com
support@santec.com
Subject: Escalation
Message body:
Dear user of
We have received several abuses:
--undreds of infected e-Mails have been sent from your mail account by the new worm
--Spam email has been relayed by the backdoor that the virus has created the malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users. Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a special desinfection tool attached to this mail. If you have problems with the virus removal file, please contact our support team at . Note that we do not accept html email messages.
AntiVirus Research Team
Attach: Fix__.cpl
Attachment:
Fix__.cpl
(Note: is the domain of the target email adress. can be WORM_MSBLAST.B, WORM_MYDOOM.F, WORM_BAGLE.AB, WORM_SASSER.B, or WORM_NETSKY.AB. can be McAfee, Norman, Norton, or Sophos. can be any 5-digit number combination.)
View a sample email message that this worm sends at this Trend Micro page.
New Bagle Variant Displays Fake Error Message
W32/Bagle-AA is a member of the W32/Bagle family of worms. When first run W32/Bagle-AA will display a fake error message containing the text "Can't find a viewer associated with the file."
W32/Bagle-AA copies itself to the Windows system folder with the filename drvddll.exe and then runs the worm from that location. The email sent by the worm may use one of the several subject lines.
View them and other information at this Sophos page.
McAfee issued a medium-threat alert for W32/Bagle.aa@MM, a new variant of W32/Bagle@MM. It is packed using UPX.
This is a mass-mailing worm with the following characteristics:
--contains its own SMTP engine to construct outgoing messages
--harvests email addresses from the victim machine
--the From: address of messages is spoofed
--attachment can be a password-protected zip file, with the password included in the message body.
--contains a remote access component (notification is sent to hacker)
--copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
When executed it will display a false message. View the message and other information at this McAfee page.
Trojan Has Different Functionalities
Trojan.Adwaheck is a trojan that contains both Adware and backdoor trojan functionality.
Technical details are at this Symantec page.
Mass-Mailing Worm Copies Itself to Windows Folder
