| Name | Win32.Netsky.ab |
| Threat Level |  |
| Alias | Win32.Netsky.ab,W32.Netsky.AB@mm, WORM_NETSKY.AB |
| Date | 28 April, 2004 |
| Type | Win32,Worm,Trojan |
| Damage | Create files,Send Email,Deletes registry entries |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Netsky.ab is a worm which uses its own SMTP engine to spread. It deletes two registry entries associated with one of the Win32.Bagle variants and then sends itself to all contacts found on the infected computer.
The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:
Correction
Criminal
Found
Funny
Hurts
Illegal
Letter
Money
More samples
Numbers
Only love?
Password
Picture
Pictures
Privacy
Question
Stolen
Text
Wow
Message body: The body of this mail will be one of the following:
Are your numbers correct?
Do you have asked me?
Do you have more photos about you?
Do you have more samples?
Do you have no money?
Do you have written the letter?
Does it hurt you?
Hey, are you criminal?
How can I help you?
I've found your creditcard. Check the data!
I've your password. Take it easy!
Please do not sent me your illegal stuff again!!!
Please use the font arial!
Still?
The text you sent to me is not so good!
True love letter?
Why do you show your body?
Wow! Why are you so shy?
You have no chance...
Your pictures are good!
Attached File: The worm may arrive as one of the following files:
abuses.pif
all_pictures.pif
corrected_doc.pif
document1.pif
hurts.pif
image034.pif
loveletter02.pif
my_stolen_document.pif
myabuselist.pif
passwords02.pif
pin_tel.pif
visa_data.pif
your_bill.pif
your_letter.pif
your_letter_03.pif
your_picture.pif
your_picture01.pif
your_text.pif
your_text01.pif
Malicious activity
When the worm is executed, it simply infects the system and sends itself onward as follows:
1. The worm first drops a copy of itself to the default Windows folder as csrss.exe.
2. To run on every startup, the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"BagleAV" = "windir\csrss.exe"
Note: windir refers to the default Windows folder.
3. It then deletes the following registry entries which are usually created by a Win32.Bagle variant:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
"drvsys.exe" = "windir\drvsys.exe"
"ssgrate.exe" = "windir\ssgrate.exe"
4. Finally, the worm harvests the system for email addresses and sends itself to all contacts found.
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
A new vandal/virus update is available.
Update date: April 28, 2004
Update version: EV121-SV349
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
