W32/Netsky-AB Type Win32 worm
Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any
of the Sophos small business solutions will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Description
W32/Netsky-AB is a mass-mailing worm that uses its own SMTP engine to
email itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the worm
copies itself to the file csrss.exe in the Windows folder and creates the following registry entry to point to it:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV
The worm will delete registry entries under this key that point to files named
drvsys.exe and ssgrate.exe. These are copies of files related to the Bagle
family of worms that may have been dropped by previous infections.
W32/Netsky-AB will gather information about infected systems in a log file
called C:\Detlog.txt.
Emails have the following characteristics:
Subject lines chosen from:
Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Message texts chosen from:
Please use the font arial!
How can I help you?
Still?
Ive your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
Ive found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
Attached filename chosen from:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif
W32/Netsky-AB will attempt to terminate antivirus-related processes whose
filenames contain text taken from the following list:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
aspersky
itdefender
f-secur
ymantec
antivi
icrosoft
W32/Netsky-AB will try to establish a connection with the following addresses:
212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
62.155.255.16
212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.1.129
193.193.144.12
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8
W32/Netsky-AB harvests email addresses from files with the following
extensions:
ppt,nch,mmf,mht,xml,wsh,jsp,xls,stm,ods,msg,oft,sht,html,htm,pl,dbx,tbb,adb,
dhtm,cgi,shtm,uin,rtf,vbs,doc,wab,asp,mdx,mbx,cfg,php,txt,eml
W32/Netsky-AB contains the text 'Hey Bagle, feel our revenge!.
Recovery Please follow the instructions for removing worms.
Change any data that may have become compromised.
Delete the file C:\Detlog.txt if it exists.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV
and delete it if it exists.
Close the registry editor.