Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.NetSky.ac
Email-Worm.Win32.NetSky.ac
| Detected | Apr 28 2004 15:12 GMT |
| Released | May 03 2004 16:08 GMT |
| Published | Apr 28 2004 15:12 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected messages, and via shared network resources. The worm itself is a Windows PE EXE file, 17920 bytes in size, packed using PE-Patch. The unpacked file is approximately 1.5MB in size. It is written in Microsoft Visual C.
Characteristics of infected messages:
Message header (chosen at random from the following):
Question Letter Picture More samples Only love? Funny Numbers Found Stolen Money Letter Text Pictures Criminal Wow Password Privacy Hurts Correction
Message body (chosen at random from the following):
Does it hurt you? Do you have written the letter? Do you have more photos about you? Do you have more samples? Wow! Why are you so shy? You have no chance... Are your numbers correct? I've found your creditcard. Check the data! Do you have asked me? Do you have no money? True love letter? The text you sent to me is not so good! Your pictures are good! Hey, are you criminal? Why do you show your body? I've your password. Take it easy! Still? How can I help you? Please use the font arial!
Attachment name (chosen at random from the following):
your_picture.pif your_letter_03.pif all_pictures.pif your_picture.pif loveletter02.pif your_text.pif pin_tel.pif visa_data.pif my_stolen_document.pif your_bill.pif your_letter.pif your_text01.pif your_picture01.pif myabuselist.pif image034.pif passwords02.pif document1.pif hurts.pif corrected_doc.pif
The worm is only activated if the user launches the infected file by clicking twice on the attachment. The worm then installs itself to the system and starts propagating.
Mass mailing
The worm uses a direct connection to the SMTP-server to send messages.
Installation
When installing, the wom copies itself to the Windows directory under the name csrss.exe and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV
thus attempting to disguise itself as an antivirus working against Bagle.
Other
The worm attempts to delete registry keys created by I-Worm.Bagle.y
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
NetSky. ac (Kaspersky Lab) - Virus:
W32/Netsky@MM!a (McAfee) - Virus:
W32/Netsky. ab@MM (McAfee) - Mal/Generic-L (Sophos)
- Trojan:
Win32/Bumat!rts (MS(OneCare)) - archive damaged - the file could not be extracted.
(Nod32) - Worm.
Generic. 241122 (BitDef7) - Worm.
Generic. 23299 (BitDef7) - FILE_BROKEN (VirusBuster)
- RAR archive is corrupted (AVAST)
- Email-Worm.
Win32. NetSky (Ikarus) - WORM/Agent.
48128. 6 (AVIRA) - Malformed container violation (NAV)
- W32.
Netsky. P@mm (NAV) - Suspicious_Gen2.
BBGVN (Norman) - Email-Worm.
Win32. NetSky. ac [AVP] (FSecure) - Trojan.
Win32. Generic!BT (Sunbelt) - FILE_BROKEN (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.