W32.Netsky.AB@mm

Printer Friendly Page

Discovered: April 28, 2004
Updated: April 28, 2004 6:00:23 PM
Systems Affected: Windows

W32.Netsky.AB@mm is a mass-mailing worm that sends itself to email addresses it gathers from all non-cdrom drives on the infected system.

Discovered: April 28, 2004
Updated: April 28, 2004 6:00:23 PM
Systems Affected: Windows

W32.Netsky.AB@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files with the following extensions:

.ppt
.nch
.mmf
.mht
.xml
.wsh
.jsp
.xls
.stm
.ods
.msg
.oft
.sht
.html
.htm
.pl
.dbx
.tbb
.adb
.dhtm
.cgi
.shtm
.uin
.rtf
.vbs
.doc
.wab
.asp
.mdx
.mbx
.cfg
.php
.txt
.eml

The worm will not send its message to email addresses containing any of the following strings:

iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft

The worm attempts to use the default DNS server to retrieve the IP address of the email server.

For example, if the email address is someone@hostname.com, it will attempt to retrieve the IP address of the server, hostname.com. If the worm fails, it will attempt to use one of the following DNS servers:

212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
62.155.255.16
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162


The email has the following characteristics:

From: [spoofed]

Subject contains one of the following strings:

Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal

Body of the message will be one of the following:

Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!

The attachment may use one of the following names:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif

When the attachment is executed it copies itself as the following:
%Windir%\csrss.exe

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BagleAV = %Windir%\csrss.exe

It may deletes the following registry entry created by other worms:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsys.exe = %Windir%\drvsys.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe= %Windir%\ssgrate.exe


It creates the following mutex so that only one instance of the worm executes at once:
"S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m"