Selected viruses, spyware, and other threats: sorted alphabetically
Netsky.AB is a typical mass-mailing e-mail worm. The size is 17920 bytes and the worm is runtime compressed / protected.
Installation and Autostart Techniques
Upon execution, the worm copies itself into the Windows folder as "csrss.exe".
The worm creates a mutex " S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m " to avoid multiple running instances of the worm on one machine.
The worm adds the following registry key to the registry, to make sure that it runs every time windows is started:
"BagleAV" = "%WINDOWS%\csrss.exe"
If the worm finds one of the following values:
"drvsys.exe" = "%WINDOWS%\drvsys.exe"
and / or:
"ssgrate.exe" = "%WINDOWS%\ssgrate.exe"
then the worm removes this startup value.
Note: This values are related to a bagle worm.
That said: This Netsky worm version deactivates a previous bagle worm.
The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:
*.eml, *.txt, *.php, *.asp, *.wab, *.doc, *.sht, *.oft, *.msg, *.vbs, *.rtf, *.uin, *.shtm, *.cgi, *.dhtm,*.adb, *.tbb, *.dbx, *.pl, *.htm, *.html
Note: However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.
That said: The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order. In technical terms, that means the worm compares the file extension via 'instring function / substring function'.
Example: The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h, for instance.
Netsky.AB tries to contact the local registered DNS servers first. If this fails, the worm uses one DNS server address out of the following IP list:
220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
Note: If the e-mail address matches firstname.lastname@example.org, it will first attempt to retrieve the IP address of the server domain.de before it uses one of the static DNS servers listed above.
The sender email addresses are spoofed and may appear to be sent by a familiar source. This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other email addresses.
Netsky.AB selects randomly an e-mail subject out of the following list:
The e-mail contains one of the following message texts:
Please use the font arial!
How can I help you?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
The worm attaches one of the following file names with a self-copy:
The worm avoids e-mail addresses which contain parts of the following list:
Note: The first missing character is to match, for example, "Symantec", as well as "symantec".
Other Details: The worm starts several threads, for enumerating and scanning fixed drives for e-mail addresses.
© 1992-2005 Eset s.r.o. VÅ¡etky prÃ¡va vyhradenÃ©. Å½iadna Ã¨asÂ tejto encyklopÃ©die nemÃ´Å¾e byÂ reprodukovanÃ¡, prenÃ¡Å¡anÃ¡ alebo inak pouÅ¾itÃ¡ v akejkoÂ¾vek forme alebo akÃ½mkoÂ¾vek spÃ´sobom bez predchÃ¡dzajÃºceho sÃºhlasu.