Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Netsky.AB
Date discovered:13/12/2012
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:17.920 Bytes
MD5 checksum:06E4CFD33F5ED9AF43FE012C759BDA60
VDF version:7.11.53.216

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32/Netsky-AB
   •  Mcafee: W32/Netsky.ab@MM
   •  Kaspersky: I-Worm.Netsky.ac
   •  TrendMicro: WORM_NETSKY.AB
   •  Sophos: W32/Netsky-AB
   •  Grisoft: I-Worm/Netsky.AB
   •  VirusBuster: I-Worm.NetSky.AB
   •  Eset: Win32/Netsky.AB
   •  Bitdefender: Win32.Netsky.AC@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\csrss.exe

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "BagleAV"="%WINDIR%\csrss.exe"



The values of the following registry keys are removed:

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "drvsys.exe"="%WINDIR%\drvsys.exe"

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "ssgrate.exe"="%WINDIR%\ssgrate.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
AM (GMT)


From:
The sender address is spoofed.
The sender of the email is the following:
   • xdfggra@yahoo.com


To:
– Email addresses found in specific files on the system.


Email design:
 


Subject: More samples
Body:
   • Do you have more samples?
Attachment:
   • your_picture.pif
 


Subject: Wow
Body:
   • Why do you show your body?
Attachment:
   • image034.pif
 


Subject: Text
Body:
   • The text you sent to me is not so good!
Attachment:
   • your_text01.pif
 


Subject: Question
Body:
   • Does it hurt you?
Attachment:
   • your_picture.pif
 


Subject: Pictures
Body:
   • Your pictures are good!
Attachment:
   • your_picture01.pif
 


Subject: Money
Body:
   • Do you have no money?
Attachment:
   • your_bill.pif
 


Subject: Hurts
Body:
   • How can I help you?
Attachment:
   • hurts.pif
 


Subject: Numbers
Body:
   • Are your numbers correct?
Attachment:
   • pin_tel.pif
 


Subject: Letter
Body:
   • Do you have written the letter?
Attachment:
   • your_letter_03.pif
 


Subject: Letter
Body:
   • True love letter?
Attachment:
   • your_letter.pif
 


Subject: Only love?
Body:
   • Wow! Why are you so shy?
Attachment:
   • loveletter02.pif
 


Subject: Correction
Body:
   • Please use the font arial!
Attachment:
   • corrected_doc.pif
 


Subject: Picture
Body:
   • Do you have more photos about you?
Attachment:
   • all_pictures.pif
 


Subject: Funny
Body:
   • You have no chance...
Attachment:
   • your_text.pif
 


Subject: Privacy
Body:
   • Still?
Attachment:
   • document1.pif
 


Subject: Password
Body:
   • I've your password. Take it easy!
Attachment:
   • passwords02.pif
 


Subject: Criminal
Body:
   • Hey, are you criminal?
Attachment:
   • myabuselist.pif
 


Subject: Stolen
Body:
   • Do you have asked me?
Attachment:
   • my_stolen_document.pif
 


Subject: Illegal
Body:
   • Please do not send me your illegal stuff again!!!
Attachment:
   • abuses.pif
 


Subject: Found
Body:
   • I've found your creditcard. Check the data!
Attachment:
   • visa_data.pif



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • ADB; ASP; CFG; CGI; DBX; DHTM; DOC; EML; HTM; HTML; JSP; MBX; MDX;
      MHT; MMF; MSG; NCH; ODS; OFT; PHP; PL; PPT; RTF; SHT; SHTM; STM; TBB;
      TXT; UIN; VBS; WAB; WSH; XLS; XML


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • iruslis; antivir; sophos; freeav; andasoftwa; skynet; messagelabs;
      abuse; fbi; orton; f-pro; aspersky; cafee; orman; itdefender; f-secur;
      avp; spam; ymantec; antivi; icrosoft


Resolving server names:
If the request using the standard DNS fails it continues with the following
It has the ability to contact the following DNS servers:
   • 212.7.128.162; 212.7.128.165; 193.193.158.10; 194.25.2.131;
      194.25.2.132; 194.25.2.133; 194.25.2.134; 62.155.255.16;
      212.185.252.73; 212.185.253.70; 212.185.252.136; 194.25.2.129;
      194.25.2.130; 195.20.224.234; 217.5.97.137; 194.25.2.129;
      193.193.144.12; 193.141.40.42; 145.253.2.171; 193.189.244.205;
      213.191.74.19; 151.189.13.35; 195.185.185.195; 212.44.160.8

 Miscellaneous Mutex:
It creates the following Mutex:
   • S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m


String:
Furthermore it contains the following string:
   • Hey Bagle, feel our revenge!

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.


Compilation date:
Date: 22/04/2003
Time: 22:44:02

Description inserted by Dragos Tomescu on Wednesday, July 27, 2005
Description updated by Dragos Tomescu on Wednesday, November 23, 2005

Back . . . .