Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Netsky.AB

Netsky.AB is a typical mass-mailing e-mail worm. The size is 17920 bytes and the worm is runtime compressed / protected.

 Installation and Autostart Techniques

Upon execution, the worm copies itself into the Windows folder as "csrss.exe".
The worm creates a mutex " S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m " to avoid multiple running instances of the worm on one machine.

The worm adds the following registry key to the registry, to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"BagleAV" = "%WINDOWS%\csrss.exe"

If the worm finds one of the following values:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"drvsys.exe" = "%WINDOWS%\drvsys.exe"

 and / or:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"ssgrate.exe" = "%WINDOWS%\ssgrate.exe"

then the worm removes this startup value.

Note: This values are related to a bagle worm.

That said: This Netsky worm version deactivates a previous bagle worm.

 

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.eml, *.txt, *.php, *.asp, *.wab, *.doc, *.sht, *.oft, *.msg, *.vbs, *.rtf, *.uin, *.shtm, *.cgi, *.dhtm,*.adb, *.tbb, *.dbx, *.pl, *.htm, *.html

Note: However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.

That said: The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order. In technical terms, that means the worm compares the file extension via 'instring function / substring function'.

Example: The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h, for instance.

 

DNS resolving

Netsky.AB tries to contact the local registered DNS servers first. If this fails, the worm uses one DNS server address out of the following IP list:

212.44.160.8, 195.185.185.195, 151.189.13.35, 213.191.74.19, 193.189.244.205, 145.253.2.171, 193.141.40.42, 93.193.144.12, 217.5.97.137, 195.20.224.234, 194.25.2.130, 194.25.2.129, 212.185.252.136, 212.185.253.70, 212.185.252.73, 62.155.255.16, 194.25.2.134, 194.25.2.133, 194.25.2.132, 194.25.2.131, 193.193.158.10, 212.7.128.165, 212.7.128.162

Note: If the e-mail address matches whatever@domain.de, it will first attempt to retrieve the IP address of the server domain.de before it uses one of the static DNS servers listed above.  

 

E-mail Sender

The sender email addresses are spoofed and may appear to be sent by a familiar source. This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other email addresses.

E-mail subjects

Netsky.AB selects randomly an e-mail subject out of the following list:

Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal

 

Message Body

The e-mail contains one of the following message texts:

Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!

 

E-mail Attachments

The worm attaches one of the following file names with a self-copy:

corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif

The worm avoids e-mail addresses which contain parts of the following list:

iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft

Note: The first missing character is to match, for example, "Symantec", as well as "symantec".

Other Details: The worm starts several threads, for enumerating and scanning fixed drives for e-mail addresses.