For Home

Virus Profile: W32/Netsky.ab@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 4/28/2004
Date Added: 4/28/2004
Origin: Unknown
Length: 17,920
Type: Virus
Subtype: E-mail
DAT Required: 4354
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 212.44.160.8   
    • 195.185.185.195
    • 151.189.13.35  
    • 213.191.74.19  
    • 193.189.244.205
    • 145.253.2.171  
    • 193.141.40.42  
    • 193.193.144.12 
    • 217.5.97.137   
    • 195.20.224.234 
    • 194.25.2.130   
    • 194.25.2.129   
    • 212.185.252.136
    • 212.185.253.70 
    • 212.185.252.73 
    • 62.155.255.16  
    • 194.25.2.134   
    • 194.25.2.133   
    • 194.25.2.132   
    • 194.25.2.131   
    • 193.193.158.10 
    • 212.7.128.165  
    • 212.7.128.162  
  • Existence of the files and Registry keys detailed above

Methods of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

   

Virus Characteristics

-- Update August 16th, 2004 --
 The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update April 28, 2004 --
 The assessment of this threat has been upgraded to Medium due to an increase in prevalence

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

  • harvests email addresses from the victim machine
  • contains its own SMTP engine to construct outgoing messages
  • emails arrives as a PIF extension attachment
  • spoofs the From: address

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .oft
  • .php
  • .ods
  • .pl
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab
  • .wsh
  • .xls
  • .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)

  • Correction 
  • Hurts  
  • Privacy
  • Password   
  • Wow
  • Criminal   
  • Pictures   
  • Text   
  • Money  
  • Stolen 
  • Found  
  • Numbers
  • Funny  
  • Only
  • love? 
  • More
  • samples   
  • Picture
  • Letter 
  • Question   
  • Illegal

Body: (selected from one of the following)

  • Please use the font arial! 
  • How can I help you?
  • Still? 
  • I've your password.
  • Take it easy!  
  • Why do you show your body? 
  • Hey, are you criminal? 
  • Your pictures are good!
  • The text you sent to me is not so good!
  • True love letter?  
  • Do you have no money?  
  • Do you have asked me?  
  • I've found your creditcard.
  • Check the data!
  • Are your numbers correct?  
  • You have no chance...  
  • Wow! Why are you so shy?   
  • Do you have more samples?  
  • Do you have more photos about you? 
  • Do you have written the letter?
  • Does it hurt you?  
  • Please do not sent me your illegal stuff again!!!  

Attachment: (PIF extensions with one of the following filenames)

  • corrected_doc.pif  
  • hurts.pif  
  • document1.pif  
  • passwords02.pif
  • image034.pif   
  • myabuselist.pif
  • your_picture01.pif 
  • your_text01.pif
  • your_letter.pif
  • your_bill.pif  
  • my_stolen_document.pif 
  • visa_data.pif  
  • pin_tel.pif
  • your_text.pif  
  • loveletter02.pif   
  • all_pictures.pif   
  • your_letter_03.pif 
  • your_picture.pif   
  • abuses.pif 

The virus installs itself on the victim machine as CSRSS.EXE:

  • %WinDir%\CSRSS.EXE

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "BagleAV" =  %WinDir%\CSRSS.EXE
   

All Users :
 Use the specified DAT files for detection and removal.

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan signatures that can detect the W32/Netsky.ab@MM virus are available from:

      -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-04-28
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
    -or-
  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

  • Run the "ThreatScan Template Report"
  • Look for module number #4066

McAfee System Compliance Profiler
Create a rule that matches a file

  • Choose WINDOWS_DIR from the drop-down
  • Type in CSRSS.EXE for the file name
  • Choose "File does not exist" in the next drop-down