 Information about the W32/Netsky.AB worm |
4/24/2004 |
W32/Netsky.AB is a mass mailing worm. This worm is a variant of W32/Netsky.Z.This worm infects Windows
systems and spreads through email. The infected email carries a spoofed 'From' address, picked up from
the infected system.
The subject of the infected email will be any one of the following;
Wow
Text
Hurts
Funny
Found
Money
Letter
Stolen
Privacy
Picture
Numbers
Criminal
Question
Password
Pictures
Only love?
Correction
More samples
The body of the infected email will be any one of the following;
Still?
True love letter?
Does it hurt you?
How can I help you?
You have no chance...
Your pictures are good!
Hey, are you criminal?
Do you have asked me?
Do you have no money?
Please use the font arial!
Why do you show your body?
Wow! Why are you so shy?
Do you have more samples?
Are your numbers correct?
Do you have written the letter?
I've your password. Take it easy!
Do you have more photos about you?
I've found your creditcard. Check the data!
Please do not sent me your illegal stuff again!!!
The text you sent to me is not so good!
The infected email has any one of the following attachments;
hurts.pif
abuses.pif
pin_tel.pif
image034.pif
your_bill.pif
visa_data.pif
your_text.pif
document1.pif
your_text01.pif
your_picture.pif
your_letter.pif
passwords02.pif
myabuselist.pif
loveletter02.pif
corrected_doc.pif
all_pictures.pif
your_letter_03.pif
your_picture01.pif
my_stolen_document.pif
Upon execution of the infected attachment, the worm copies itself as csrss.exe in the Windows folder.
The worm also creates a mutex S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m to check the presence of the
worm in system memory.The worm modifies registry at the following location to run itself at the
startup;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
To propagate itself, the worm scans the files having the following extensions and collects all the
available email addresses from the infected system;
.pl, .rtf, .oft, .txt, .uin, .jsp, .tbb, .cgi, .sht, .vbs, .doc, .dbx, .asp, .adb, .php, .htm,
.eml, .xml, .wab, .wsh, .msg, .html, .dhtm, .shtm The worm mails itself to these addresses using
its own SMTP engine.
This worm first appeared on April 28, 2004. Other names of W32/Netsky.AB Worm:
This worm is also known as Win32.Netsky.AB, W32.Netsky.AB@mm, W32/Netsky.ab@MM, NetSky.AB ,
W32/Netsky-AB
|
|
