Virus Detail

Description

Back to top

Method of Infection

When executed, Netsky.AB copies itself to:

%Windows%\csrss.exe

and modifies the registry to ensure that this copy is executed at each Windows start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BagleAV = "%Windows%\csrss.exe"

Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

The worm also creates a mutex called "S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m" to ensure only one copy of the worm is running on the system.

Back to top

Method of Distribution

Via E-mail

Netsky.AB sends itself through e-mail using its own SMTP engine. It spoofs the 'From' address of the message by either inserting one of the e-mail addresses that it harvested from the affected machine or using the address xdfggra@yahoo.com.

In order to collect e-mail addresses to send itself to, the worm searches through drives c: to z: (except cd-rom drives), in files with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

The worm discards e-mail addresses containing the following strings:

abuse
andasoftwa
antivir
antivi
aspersky
avp
cafee
f-pro
f-secur
fbi
freeav
icrosoft
iruslis
itdefender
messagelabs
orman
orton
skynet
sophos
spam
ymantec

Messages produced by Netsky.AB consist of one of the following combinations:

• Subject: Illegal
  Body: Please do not sent me your illegal stuff again!!!
  Attachment: abuses.pif
  
• Subject: Question
  Body: Does it hurt you?
  Attachment: your_picture.pif
  
• Subject: Letter
  Body: Do you have written the letter?
  Attachment: your_letter_03.pif
  
• Subject: Picture
  Body: Do you have more photos about you?
  Attachment: all_pictures.pif
  
• Subject: More samples
  Body: Do you have more samples?
  Attachment: your_picture.pif
  
• Subject: Only love?
  Body: Wow! Why are you so shy?
  Attachment: loveletter02.pif
  
• Subject: Funny
  Body: You have no chance...
  Attachment: your_text.pif
  
• Subject: Numbers
  Body: Are your numbers correct?
  Attachment: pin_tel.pif
  
• Subject: Found
  Body: I've found your creditcard. Check the data!
  Attachment: visa_data.pif
  
• Subject: Stolen
  Body: Do you have asked me?
  Attachment: my_stolen_document.pif
  
• Subject: Money
  Body: Do you have no money?
  Attachment: your_bill.pif
  
• Subject: Letter
  Body: True love letter?
  Attachment: your_letter.pif
  
• Subject: Text
  Body: The text you sent to me is not so good!
  Attachment: your_text01.pif
  
• Subject: Pictures
  Body: Your pictures are good!
  Attachment: your_picture01.pif
  
• Subject: Criminal
  Body: Hey, are you criminal?
  Attachment: myabuselist.pif
  
• Subject: Wow
  Body: Why do you show your body?
  Attachment: image034.pif
  
• Subject: Password
  Body: I've your password. Take it easy!
  Attachment: passwords02.pif
  
• Subject: Privacy
  Body: Still?
  Attachment: document1.pif
  
• Subject: Hurts
  Body: How can I help you?
  Attachment: hurts.pif
  
• Subject: Correction
  Body: Please use the font arial!
  Attachment: corrected_doc.pif

Please see below for examples of e-mail generated by the worm:

Back to top

Payload

Modifies System Settings

Netsky.AB removes the following registry values, if present:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsys.exe

Analysis by Hamish O'Dea

Back to top