The Web    Google
Mass-Mailing Worm Copies Itself to Windows Folder

Mass-Mailing Worm Copies Itself to Windows Folder
May 3, 2004

Security vendors Monday also issued an alert for W32/Netsky-AC, a mass mailing worm that copies itself to the Windows folder as comp.cpl and creates a helper component wserver.exe in the same folder.

W32/Netsky-AC sets the following registry entry to ensure it is run on user logon:

wserver = wserver.exe

Emails sent by W32/Netsky-AC have the following characteristics:

Subject line: Escalation

More information is atSophos page.

Trend Micro also issued an alert for Worm_Netsky.AC, and reports that this memory-resident worm propagates using its own Simple Mail Transfer Protocol (SMTP) engine. It obtains target email addresses from files with certain extension names, which it searches in drives C to Z (except for CD-ROM drives).

The email it sends may have the following details:

From: (any of the following)

Subject: Escalation

Message body:
Dear user of
We have received several abuses:
--undreds of infected e-Mails have been sent from your mail account by the new worm
--Spam email has been relayed by the backdoor that the virus has created the malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users. Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a special desinfection tool attached to this mail. If you have problems with the virus removal file, please contact our support team at . Note that we do not accept html email messages.

AntiVirus Research Team
Attach: Fix__.cpl

(Note: is the domain of the target email adress. can be WORM_MSBLAST.B, WORM_MYDOOM.F, WORM_BAGLE.AB, WORM_SASSER.B, or WORM_NETSKY.AB. can be McAfee, Norman, Norton, or Sophos. can be any 5-digit number combination.)

View a sample email message that this worm sends at this Trend Micro page.

New Bagle Variant Displays Fake Error Message

W32/Bagle-AA is a member of the W32/Bagle family of worms. When first run W32/Bagle-AA will display a fake error message containing the text "Can't find a viewer associated with the file."

W32/Bagle-AA copies itself to the Windows system folder with the filename drvddll.exe and then runs the worm from that location. The email sent by the worm may use one of the several subject lines.

View them and other information at this Sophos page.

McAfee issued a medium-threat alert for W32/Bagle.aa@MM, a new variant of W32/Bagle@MM. It is packed using UPX.

This is a mass-mailing worm with the following characteristics:

--contains its own SMTP engine to construct outgoing messages
--harvests email addresses from the victim machine
--the From: address of messages is spoofed
--attachment can be a password-protected zip file, with the password included in the message body.
--contains a remote access component (notification is sent to hacker)
--copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

When executed it will display a false message. View the message and other information at this McAfee page.

Trojan Has Different Functionalities

Trojan.Adwaheck is a trojan that contains both Adware and backdoor trojan functionality.

Technical details are at this Symantec page.

  • Citadel's Latest Automates W2K3 Vulnerability Remediation
  • 3/30: Kelvir-F IM Worm Sends Message
  • 4/22: Kelvir-R Trojan Hits IM Contacts
  • 2/3: Rbot-VD a Worm and a Trojan
  • Palyh and Fizzer Top Troublemakers in May
  • 10/12: Forbot-AZ Worm Has Backdoor
  • 1/12: Kobot-B Worm Uses 3 Windows Flaws
  • Symantec, Veritas Leaders Tout Merger
  • SQL Server Security Checklist
  • House Passes Federal Anti-Spam Bill
  • ActivCard Enhances Authentication for Remote Access Over Web
  • Computer security background information