 |
| |
| | Effects | | |
Netsky.AB deletes the entries belonging to several variants of the worm Bagle, from the Windows Registry.
| [ top ]
| | | Means of infection | | |
Netsky.AB creates the file CSRSS.EXE in the Windows directory. This file is a copy of the worm. Netsky.AB creates the following entry in the Windows Registry: - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
BagleAV = %windir%\csrss.exe
where %windir% is the Windows directory.
By creating this entry, Netsky.AB ensures it is run whenever Windows is started.
Netsky.AB deletes the following entries from the Windows Registry, if they exist: - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
ssgrate.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
drvsys.exe
These two entries belong to previous variants of the worm Bagle.
| [ top ]
| | | Means of transmission | | |
Netsky.AB spreads via e-mail. In order to do so, it follows the routine below: It reaches the computer in a message with variable characteristics: Sender: Netsky.AB spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
Subject: one of the following:
Correction
Criminal
Found
Funny
Hurts
Illegal
Letter
Letter
Money
More samples
Numbers
Only love?
Password
Picture
Pictures
Privacy
Question
Stolen
Text
Wow
Message: any of the following:
Are your numbers correct?
Do you have asked me?
Do you have more photos about you?
Do you have more samples?
Do you have no money?
Do you have written the letter?
Does it hurt you?
Hey, are you criminal?
How can I help you?
I've found your creditcard. Check the data!
I've your password. Take it easy!
Please do not sent me your illegal stuff again!!!
Please use the font arial!
Still?
The text you sent to me is not so good!
True love letter?
Why do you show your body?
Wow! Why are you so shy?
You have no chance...
Your pictures are good!
Attachments: any of the following:
ABUSES.PIF
ALL_PICTURES.PIF
CORRECTED_DOC.PIF
DOCUMENT1.PIF
HURTS.PIF
IMAGE034.PIF
LOVELETTER02.PIF
MY_STOLEN_DOCUMENT.PIF
MYABUSELIST.PIF
PASSWORDS02.PIF
PIN_TEL.PIF
VISA_DATA.PIF
YOUR_BILL.PIF
YOUR_LETTER.PIF
YOUR_LETTER_03.PIF
YOUR_PICTURE.PIF
YOUR_PICTURE.PIF
YOUR_PICTURE01.PIF
YOUR_TEXT.PIFYOUR_TEXT01.PIF- The computer is affected when the attached file is run.
- Netsky.AB searches for e-mail adresses in files with the followingextensions:
ADB, ASP, CFG, CGI, DBX, DHTM, DOC, EML, HTM, HTML, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, PPT, RTF, SHT, SHTM, STM, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML. - It sends itself out to all the addresses it has gathered, using its own SMTP engine.
- However, Netsky.AB does not spread to those addresses that contain any of the following text strings:
abuse, andasoftwa, antivi, antivir, aspersky, avp, cafee, fbi, f-pro, freeav, f-secur, icrosoft, iruslis, itdefender, messagelabs, orman, orton, skynet, sophos, spam and ymantec.
| [
top ]
| | | Other details | | |
Netsky.AB is written in the programming language Visual C++ v6.0. This worm is 17,920 bytes in size and it is compressed with PECompact. Netsky.AB creates the mutex S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m in order to prevent two copies of the worm from being run simultaneously. | [
top ]
|
|
|
 Last updated:
April 28, 2004
|
|
