Threat Description

NetSky.AB

Details

Aliases:NetSky.AB, W32/NetSky.AB@mm
Category:Malware
Type:Email-Worm
Platform:W32

Summary



NetSky.AB worm was found on April 28th, 2004. This variant shares nearly 98% of its functionality with NetSky.AA.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm's file is a packed PE executable 17920 bytes long.

Installation to system

Upon execution NetSky.AB copies itself as 'csrss.exe' file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "BagleAV" = "%WinDir%\csrss.exe"

where %WinDir% represents Windows folder name.

Email Spreading

The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:

.eml
 .txt
 .php
 .cfg
 .mbx
 .mdx
 .asp
 .wab
 .doc
 .vbs
 .rtf
 .uin
 .shtm
 .cgi
 .dhtm
 .adb
 .tbb
 .dbx
 .pl
 .htm
 .html
 .sht
 .oft
 .msg
 .ods
 .stm
 .xls
 .jsp
 .wsh
 .xml
 .mht
 .mmf
 .nch
 .ppt

Netsky.AB worm ignores e-mail addresses that contain any of the following strings:

icrosoft
 antivi
 ymantec
 spam
 avp
 f-secur
 itdefender
 orman
 cafee
 aspersky
 f-pro
 orton
 fbi
 abuse
 messagelabs
 skynet
 andasoftwa
 freeav
 sophos
 antivir
 iruslis

The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:

Correction
 Hurts
 Privacy
 Password
 Criminal
 Pictures
 Text
 Money
 Stolen
 Found
 Numbers
 Funny
 Only love?
 More samples
 Picture
 Letter
 Question
 Illegal

The worm uses one of the following text strings as body text for an infected message:

Please use the font arial!
 How can I help you?
 Still?
 I've your password. Take it easy!
 Why do you show your body?
 Hey, are you criminal?
 Your pictures are good!
 The text you sent to me is not so good!
 True love letter?
 Do you have no money?
 Do you have asked me?
 I've found your creditcard. Check the data!
 Are your numbers correct?
 You have no chance...
 Wow! Why are you so shy?
 Do you have more samples?
 Do you have more photos about you?
 Do you have written the letter?
 Does it hurt you?
 Please do not sent me your illegal stuff again!!!

Netsky.AB attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:

corrected_doc.pif
 hurts.pif
 document1.pif
 passwords02.pif
 image034.pif
 myabuselist.pif
 your_picture01.pif
 your_text01.pif
 your_letter.pif
 your_bill.pif
 my_stolen_document.pif
 visa_data.pif
 pin_tel.pif
 your_text.pif
 loveletter02.pif
 all_pictures.pif
 your_letter_03.pif
 your_picture.pif
 abuses.pif





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More