Threat Description



Category: Malware
Type: Email-Worm
Platform: W32
Aliases: NetSky.AB, W32/NetSky.AB@mm


NetSky.AB worm was found on April 28th, 2004. This variant shares nearly 98% of its functionality with NetSky.AA.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

The worm's file is a packed PE executable 17920 bytes long.

Installation to system

Upon execution NetSky.AB copies itself as 'csrss.exe' file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "BagleAV" = "%WinDir%\csrss.exe"  

where %WinDir% represents Windows folder name.

Email Spreading

The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:

.eml  .txt  .php  .cfg  .mbx  .mdx  .asp  .wab  .doc  .vbs  .rtf  .uin  .shtm  .cgi  .dhtm  .adb  .tbb  .dbx  .pl  .htm  .html  .sht  .oft  .msg  .ods  .stm  .xls  .jsp  .wsh  .xml  .mht  .mmf  .nch  .ppt  

Netsky.AB worm ignores e-mail addresses that contain any of the following strings:

icrosoft  antivi  ymantec  spam  avp  f-secur  itdefender  orman  cafee  aspersky  f-pro  orton  fbi  abuse  messagelabs  skynet  andasoftwa  freeav  sophos  antivir  iruslis  

The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:

Correction  Hurts  Privacy  Password  Criminal  Pictures  Text  Money  Stolen  Found  Numbers  Funny  Only love?  More samples  Picture  Letter  Question  Illegal  

The worm uses one of the following text strings as body text for an infected message:

Please use the font arial!  How can I help you?  Still?  I've your password. Take it easy!  Why do you show your body?  Hey, are you criminal?  Your pictures are good!  The text you sent to me is not so good!  True love letter?  Do you have no money?  Do you have asked me?  I've found your creditcard. Check the data!  Are your numbers correct?  You have no chance...  Wow! Why are you so shy?  Do you have more samples?  Do you have more photos about you?  Do you have written the letter?  Does it hurt you?  Please do not sent me your illegal stuff again!!!  

Netsky.AB attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:

corrected_doc.pif  hurts.pif  document1.pif  passwords02.pif  image034.pif  myabuselist.pif  your_picture01.pif  your_text01.pif  your_letter.pif  your_bill.pif  my_stolen_document.pif  visa_data.pif  pin_tel.pif  your_text.pif  loveletter02.pif  all_pictures.pif  your_letter_03.pif  your_picture.pif  abuses.pif  


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More