Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
4 edits | W32.Netsky.AB@mm
Symantec: W32.Netsky.AB@mm
»securityresponse.symantec.com/av···@mm.html
McAfee: W32/Netsky.ab@MM
»us.mcafee.com/virusInfo/default.···k=124873
Trend: WORM_NETSKY.AB
»www.trendmicro.com/vinfo/virusen···ETSKY.AB
Computer Associates: Win32.Netsky.AB
»www3.ca.com/threatinfo/virusinfo···ID=39001
F-Prot: W32/Netsky.AB@mm
»www.f-prot.com/virusinfo/descrip···_ab.html
VSAntivirus {English Transl}: W32/Netsky.AB
»216.239.37.104/translate_c?hl=en···Dgooglet
Thanks to Schouw  for heads-up on this new variant. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
4 edits | Panda has updated their info and it now agrees with the other vendors:
Panda: Netsky.AB
»www.virusportal.com/com/virusinf···us=46708
Tech Details: »www.virusportal.com/com/virusinf···us=46708
Prevention & Cure: »www.virusportal.com/com/virusinf···us=46708
also Please NOTE: BitDefender is listing an 'AB' Netsky variant but closer investigation reveals it is the same worm {discovered yesterday April 27} that all other vendors are calling 'AA', see my post to clarify this in the other thread: »W32/Netsky-AA {Sophos}
The current 'AB' variant {discovered early today April 28} uses the following autorun entry:
"BagleAV" = %WinDir%\CSRSS.EXE
The aforementioned BitDefender WriteUp actually refers to the 'AA' worm {discovered yesterday April 27} which uses the following autorun entry:
"Skynetsrevenge" = %WinDir%\WINLOGON.SCR
Panda's initial VirusPortal WriteUp was falsely reporting an 'AB' which used this autorun entry but it has been corrected now, to agree with the other vendors' report of the newest 'AB' variant.
Panda's Main Site has a writeup on 'AB' now: »www.pandasoftware.com/virus_info···8&sind=0
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Randy Bell
Sophos: W32/Netsky-AB
»www.sophos.com/virusinfo/analyse···yab.html
W32/Netsky-AB is a mass-mailing worm that uses its own SMTP engine to email itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the worm copies itself to the file csrss.exe in the Windows folder and creates the following registry entry to point to it:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV
The worm will delete registry entries under this key that point to files named drvsys.exe and ssgrate.exe. These are copies of files related to the Bagle family of worms that may have been dropped by previous infections.
W32/Netsky-AB will gather information about infected systems in a log file called C:\Detlog.txt.
{{~snipped~}} See above link for details of email subjects, message bodies, attachments.
W32/Netsky-AB harvests email addresses from files with the following
extensions:
ppt,nch,mmf,mht,xml,wsh,jsp,xls,stm,ods,msg,oft,sht,html,
htm,pl,dbx,tbb,adb,dhtm,cgi,shtm,uin,rtf,vbs,doc,wab,asp,
mdx,mbx,cfg,php,txt,eml
W32/Netsky-AB contains the text 'Hey Bagle, feel our revenge!
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to Randy Bell
Win32.Netsky.ab W32.Netsky.AB@mm WORM_NETSKY.AB
Netsky ab analysis from our friends at Aladdin...
said by Aladdin, »www.ealaddin.com/home/csrt/analy···0410&cf= :
Win32.Netsky.ab
Win32.Netsky.ab Threat Level:
Alias: Win32.Netsky.ab,W32.Netsky.AB@mm, WORM_NETSKY.AB Platforms: Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Updated on: 28 April, 2004
Arrival Form: Email
Type: Win32,Worm,Trojan
Damage: Create files,Send Email,Deletes registry entries
--------------------------------------------------------------------------------
Analysis
Win32.Netsky.ab is a worm which uses its own SMTP engine to spread. It deletes two registry entries associated with one of the Win32.Bagle variants and then sends itself to all contacts found on the infected computer.
The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:
Correction
Criminal
Found
Funny
Hurts
Illegal
Letter
Money
More samples
Numbers
Only love?
Password
Picture
Pictures
Privacy
Question
Stolen
Text
Wow
Message body: The body of this mail will be one of the following:
Are your numbers correct?
Do you have asked me?
Do you have more photos about you?
Do you have more samples?
Do you have no money?
Do you have written the letter?
Does it hurt you?
Hey, are you criminal?
How can I help you?
I've found your creditcard. Check the data!
I've your password. Take it easy!
Please do not sent me your illegal stuff again!!!
Please use the font arial!
Still?
The text you sent to me is not so good!
True love letter?
Why do you show your body?
Wow! Why are you so shy?
You have no chance...
Your pictures are good!
Attached File: The worm may arrive as one of the following files:
abuses.pif
all_pictures.pif
corrected_doc.pif
document1.pif
hurts.pif
image034.pif
loveletter02.pif
my_stolen_document.pif
myabuselist.pif
passwords02.pif
pin_tel.pif
visa_data.pif
your_bill.pif
your_letter.pif
your_letter_03.pif
your_picture.pif
your_picture01.pif
your_text.pif
your_text01.pif
Malicious activity
When the worm is executed, it simply infects the system and sends itself onward as follows:
1. The worm first drops a copy of itself to the default Windows folder as csrss.exe.
2. To run on every startup, the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"BagleAV" = "windir\csrss.exe"
Note: windir refers to the default Windows folder.
3. It then deletes the following registry entries which are usually created by a Win32.Bagle variant:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"drvsys.exe" = "windir\drvsys.exe"
"ssgrate.exe" = "windir\ssgrate.exe"
4. Finally, the worm harvests the system for email addresses and sends itself to all contacts found.
--
"He beheld the form of Sleeping Beauty, wondering how her supple lips would feel against his own and contemplating whether or not an Altoid was strong enough to stand up against the kind of morning breath only a hundred year's nap could create." |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Randy Bell
Re: W32.Netsky.AB@mm
Just got this from Trend:
quote:
As of April 28, 2004 1:20 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_NETSKY.AB. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Taiwan and Korea. There are also infections in Europe, particularly in France.
This NETSKY variant propagates via email. To spread, it sends copies of itself via SMTP (Simple Mail Transfer Protocol). It harvests email addresses from files located in local drives C to Z, and with particular extension names.
This malware also deletes Windows registry entries created by the BAGLE worm.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 108
Official Pattern Release 873
Damage Cleanup Template 327
For more information on WORM_NETSKY.AB, you can visit our Web site at:
»www.trendmicro.com/vinfo/virusen···ETSKY.AB
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | Symantec has increased W32.Netsky.AB@mm to a Category 3 threat, and (according to the website) has released a LiveUpdate on 4/28. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| 
Second LiveUpdate for Today |
said by kpatz :
Symantec has increased W32.Netsky.AB@mm to a Category 3 threat, and (according to the website) has released a LiveUpdate on 4/28.
It's covered now.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Randy Bell
Norman has a writeup: W32/Netsky.AB@mm
»www.norman.com/Virus/Virus_descr···14865/en
said by Norman:
Netsky.AB is detected and removed with definition files later than 28-Apr-2004, however it was proactively detected as a W32/EmailWorm using Norman’s Sandbox technology.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
gkweb
join:2003-06-09
76800
1 edit | reply to Randy Bell
I often receive the P version of NetSky, not received yet the AB version, althought i have already received a X version of Beagle (Level Categorie 3 like NetSky.AB) which is newer. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
2 edits | reply to Randy Bell
Variant escapes RoadRunner detection
This is one that escaped RR's Norton scanner going and coming - it was sent 14:07Z so may be pretty fresh. Email, sender forged, came from infected RoadRunner DHCP address.
Text:
For security reasons attached file is password protected.
The password is (bmp with numeric password)
attached object: Smoke.zip
ZIP filesize 21255
Smoke.zip Archive: ZIP
Smoke.zip/azywgai.exe Password protected
Smoke.zip/bfhch.dat Password protected
I've forwarded it for analysis and will update as appropriate.
HTH
EG
Edit - AVG, symantec, Kapersky didn't flag it. Testing others now.
Edit2 - Thanks kpatz - It looks like W32bagle.pwd - Also saw Randy Bell 's reference to earlier post - Will scan W/ Panda to see how it fares.
--
"He beheld the form of Sleeping Beauty, wondering how her supple lips would feel against his own and contemplating whether or not an Altoid was strong enough to stand up against the kind of morning breath only a hundred year's nap could create." |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| That undetected variant looks like a Bagle/Beagle, probably the newest one (Beagle.X/Bagle.Z/Bagle.AA, or whatever).
If you unzip the file with the provided password and then scan the contents, you should be able to get a positive ID on it that way.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by kpatz :
That undetected variant looks like a Bagle/Beagle, probably the newest one (Beagle.X/Bagle.Z/Bagle.AA, or whatever).
Here's the link to that thread: »W32/Bagle.aa@MM {NAI} or Bagle.AB {Panda}
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
|
heh - Panda got it. So far, only one out of three PLUS RoadRunner's AV as well as a major research facility's IDS/AV/AT system - The only thing that stopped this one was the ol' hair on the back of the neck filter.:) The forged address was one I have as a legitimate sender.
Now we see how inexperienced Joe User could be fooled ...
EG
--
"He beheld the form of Sleeping Beauty, wondering how her supple lips would feel against his own and contemplating whether or not an Altoid was strong enough to stand up against the kind of morning breath only a hundred year's nap could create." |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Randy Bell
Re: W32.Netsky.AB@mm
BitDefender's naming convention deviates from the other vendors:
BitDefender: Win32.Netsky.AC@mm
Aliases: Netsky.AB
»www.bitdefender.com/bd/site/viru···v_id=246
{BitDefender makes excellent removal tools, for anyone infected by this or any of the Netsky family}.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
