W32/Netsky-AB

Discussion in 'malware problems & news' started by Marianna, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Type
    Win32 worm

    Description
    W32/Netsky-AB is a mass-mailing worm that uses its own SMTP engine to
    email itself to addresses harvested from files on local drives.
    In order to run automatically when the user logs on to the computer the worm
    copies itself to the file csrss.exe in the Windows folder and creates the following registry entry to point to it:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV

    The worm will delete registry entries under this key that point to files named
    drvsys.exe and ssgrate.exe. These are copies of files related to the Bagle
    family of worms that may have been dropped by previous infections.

    W32/Netsky-AB will gather information about infected systems in a log file
    called C:\Detlog.txt.

    Emails have the following characteristics:

    Subject lines chosen from:

    Correction
    Hurts
    Privacy
    Password
    Wow
    Criminal
    Pictures
    Text
    Money
    Stolen
    Found
    Numbers
    Funny
    Only love?
    More samples
    Picture
    Letter
    Question

    Message texts chosen from:

    Please use the font arial!
    How can I help you?
    Still?
    Ive your password. Take it easy!
    Why do you show your body?
    Hey, are you criminal?
    Your pictures are good!
    The text you sent to me is not so good!
    True love letter?
    Do you have no money?
    Do you have asked me?
    Ive found your creditcard. Check the data!
    Are your numbers correct?
    You have no chance...
    Wow! Why are you so shy?
    Do you have more samples?
    Do you have more photos about you?
    Do you have written the letter?
    Does it hurt you?
    Please do not sent me your illegal stuff again!!!

    Attached filename chosen from:

    corrected_doc.pif
    hurts.pif
    document1.pif
    passwords02.pif
    image034.pif
    myabuselist.pif
    your_picture01.pif
    your_text01.pif
    your_letter.pif
    your_bill.pif
    my_stolen_document.pif
    visa_data.pif
    pin_tel.pif
    your_text.pif
    loveletter02.pif
    all_pictures.pif
    your_letter_03.pif
    your_picture.pif
    abuses.pif

    W32/Netsky-AB will attempt to terminate antivirus-related processes whose
    filenames contain text taken from the following list:

    iruslis
    antivir
    sophos
    freeav
    andasoftwa
    skynet
    messagelabs
    aspersky
    itdefender
    f-secur
    ymantec
    antivi
    icrosoft

    W32/Netsky-AB will try to establish a connection with the following addresses:

    212.7.128.162
    212.7.128.165
    193.193.158.10
    194.25.2.131
    194.25.2.132
    194.25.2.133
    194.25.2.134
    62.155.255.16
    212.185.252.73
    212.185.253.70
    212.185.252.136
    194.25.2.129
    194.25.2.130
    195.20.224.234
    217.5.97.137
    194.25.1.129
    193.193.144.12
    193.141.40.42
    145.253.2.171
    193.189.244.205
    213.191.74.19
    151.189.13.35
    195.185.185.195
    212.44.160.8

    W32/Netsky-AB harvests email addresses from files with the following
    extensions:

    ppt,nch,mmf,mht,xml,wsh,jsp,xls,stm,ods,msg,oft,sht,html,htm,pl,dbx,tbb,adb,
    dhtm,cgi,shtm,uin,rtf,vbs,doc,wab,asp,mdx,mbx,cfg,php,txt,eml

    W32/Netsky-AB contains the text 'Hey Bagle, feel our revenge!.

    http://www.sophos.com/virusinfo/analyses/w32netskyab.html
     
Thread Status:
Not open for further replies.