NetSky.AB worm was found on April 28th, 2004. This variant shares
nearly 98% of its functionality with NetSky.AA.
F-Secure provides the special disinfection utility to eliminate
Netsky.AB worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
The worm's file is a packed PE executable 17920 bytes long.
Installation to system
Upon execution NetSky.AB copies itself as 'csrss.exe' file to
Windows folder and adds a startup key for this file into System
Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BagleAV" = "%WinDir%\csrss.exe"
where %WinDir% represents Windows folder name.
Email spreading
The worm scans all hard drives from C: to Z: to harvest e-mail
addresses. The worm looks for e-mail addresses in files with the
following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
Netsky.AB worm ignores e-mail addresses that contain any of the
following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
The worm composes e-mails with different subject and body texts.
Here is the list of subject texts that the worm uses:
Correction
Hurts
Privacy
Password
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal
The worm uses one of the following text strings as body text for
an infected message:
Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
Netsky.AB attaches its executable file to e-mails that it sends
out. The attachment name is selected from the following variants:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif
Detection of NetSky.AB worm was published on April 28th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-04-28_01
Technical Details:
Ero Carrera & Alexey Podrezov, April 28th, 2004;
Description Updated:
Alexey Podrezov, April 29th, 2004;
F-Secure Corporation
