Home > Threat descriptions >

Worm:W32/NetSky.AB

Classification

Category: Malware

Type: Email-Worm

Aliases: NetSky.AB, W32/NetSky.AB@mm

Summary


NetSky.AB worm was found on April 28th, 2004. This variant shares nearly 98% of its functionality with NetSky.AA.

Removal


Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm's file is a packed PE executable 17920 bytes long.

Installation to system

Upon execution NetSky.AB copies itself as 'csrss.exe' file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BagleAV" = "%WinDir%\csrss.exe"

where %WinDir% represents Windows folder name.

Email Spreading

The worm scans all hard drives from C: to Z: to harvest email addresses. The worm looks for email addresses in files with the following extensions:

.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

Netsky.AB worm ignores email addresses that contain any of the following strings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis

The worm composes emails with different subject and body texts. Here is the list of subject texts that the worm uses:

Correction
Hurts
Privacy
Password
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal

The worm uses one of the following text strings as body text for an infected message:

Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!

Netsky.AB attaches its executable file to emails that it sends out. The attachment name is selected from the following variants:

corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif