The Netsky.AC worm was discovered on May 2, 2004. Netsky.AC pretends to be a removal tool for the Sasser.B, Bagle.AB, Mydoom.F, MSBlast.B and NetSky.AB worms. In a similar fashion to some of the earlier Bagle variants, Netsky.AC masquerades as a message from or composed by a security vendor/domain admin. Netsky.AC drops comp.cpl and wserver.exe to the Windows folder, registering wserver.exe via the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ system registry key to launch when Windows is started.
Text included in the Netsky.AC code (but not displayed) indicates the worm author may also be the author of the Sasser Internet worm, claiming: "Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet..."
See the Sophos description for an example of the Netsky.AC email.
