Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.AB@mm


Threat Risk LOW LOW
Destructivity NONE NONE
Payload None
Detection files published
Description created 28 Apr 2004 01:27:00
Description updated 28 Apr 2004 01:27:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When Netsky.AB is executed it creates a mutex named “S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m" to ensure that only one copy of the worm is running. Next the worm copies itself to the %WINDIR% folder as “csrss.exe" and then creates the following registry value to launch itself when Windows starts: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\        CurrentVersion\Run\BagleAV" = “%WINDIR%\csrss.exe" The worm will also delete the following registry values, which are created by previous Bagle variants: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\drvsys.exe Netsky.AB then launches a thread that searches drives C:\ to Z:\ (excluding CD-ROM drives) for email addresses. Only files with the following extensions are searched: .ppt.nch.mmf.mht.xml.wsh.jsp.xls.stm.ods.msg.oft.sht.html .dbx.tbb.adb.dhtm   .cgi.shtm   .uin.rtf.vbs.doc.wab.asp.mdx.mbx.cfg.php.txt.eml  Netsky.AB will not mail itself to any email addresses that contain the following strings: iruslis antivir sophos  freeav  andasoftwa  skynet  messagelabs abuse   fbi orton   f-pro   aspersky    cafee   orman   itdefender  f-secur avp spam    ymantec antivi  icrosoft The worm then proceeds to mail itself to all of the harvested e-mail addresses using its own SMTP engine. The subject line, body text and attachment name vary, and are composed from various word-lists. Subject CorrectionHurtsPrivacyPasswordWow CriminalPicturesTextMoneyStolenFoundNumbersFunnyOnly love?More samplesPicture LetterQuestionIllegal Body Please use the font arial!How can I help you? Still?I've your password. Take it easyWhy do you show your body?Hey, are you criminal?Your pictures are good!The text you sent to me is not so good!True love letter?Do you have no money?Do you have asked me?I've found your creditcard. Check the data!Are your numbers correct?You have no chance...   Wow! Why are you so shy?Do you have more samples?Do you have more photos about you?Do you have written the letter? Does it hurt you?Please do not sent me your illegal stuff again!!! Attachment corrected_doc.pifhurts.pifdocument1.pifpasswords02.pifimage034.pifmyabuselist.pifyour_picture01.pifyour_text01.pifyour_letter.pifyour_bill.pifmy_stolen_document.pifvisa_data.pifpin_tel.pifyour_text.pifloveletter02.pifall_pictures.pifyour_letter_03.pifyour_picture.pifabuses.pif

Payload Details





Netsky.AB was proactively detected as a W32/EmailWorm using Lumension's Sandbox technology.

Last Updated: 12 Nov 2015 11:06:12