[virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-AB

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Wed, 28 Apr 2004 13:11:26 -0700


From; Sophos Alert System:

Name: W32/Netsky-AB
Type: Win32 worm
Date: 28 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any 
of the Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Netsky-AB can be found at:
http://www.sophos.com/virusinfo/analyses/w32netskyab.html
Description 
W32/Netsky-AB is a mass-mailing worm that uses its own SMTP engine to
email itself to addresses harvested from files on local drives. 
In order to run automatically when the user logs on to the computer the worm
copies itself to the file csrss.exe in the Windows folder and creates the
following registry entry to point to it: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV 

The worm will delete registry entries under this key that point to files
named
drvsys.exe and ssgrate.exe. These are copies of files related to the Bagle
family of worms that may have been dropped by previous infections. 

W32/Netsky-AB will gather information about infected systems in a log file
called C:\Detlog.txt. 

Emails have the following characteristics: 

Subject lines chosen from: 

Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question 

Message texts chosen from: 

Please use the font arial!
How can I help you?
Still?
Ive your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
Ive found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!! 

Attached filename chosen from: 

corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif 

W32/Netsky-AB will attempt to terminate antivirus-related processes whose
filenames contain text taken from the following list: 

iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
aspersky
itdefender
f-secur
ymantec
antivi
icrosoft 

W32/Netsky-AB will try to establish a connection with the following
addresses: 

212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
62.155.255.16
212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.1.129
193.193.144.12
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8 

W32/Netsky-AB harvests email addresses from files with the following
extensions: 

ppt,nch,mmf,mht,xml,wsh,jsp,xls,stm,ods,msg,oft,sht,html,htm,pl,dbx,tbb,adb,
dhtm,cgi,shtm,uin,rtf,vbs,doc,wab,asp,mdx,mbx,cfg,php,txt,eml 

W32/Netsky-AB contains the text 'Hey Bagle, feel our revenge!. 
 
 
Recovery 
Please follow the instructions for removing worms.

Change any data that may have become compromised. 

Delete the file C:\Detlog.txt if it exists. 

Windows NT/2000/XP/2003 

In Windows NT/2000/XP/2003 you will also need to edit the following registry
entry. The removal of this entry is optional in Windows 95/98/Me. Please
read the warning about editing the registry. 

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
registry editor opens. 

Before you edit the registry, you should make a backup. On the 'Registry'
menu, click 'Export Registry File'. In the 'Export range' panel, click
'All', then save your registry as Backup. 

Locate the HKEY_LOCAL_MACHINE entry: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV 

and delete it if it exists. 

Close the registry editor. 
 
 
Download the IDE file from:
http://www.sophos.com/downloads/ide/netskyab.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member

Other related posts:

  • » [virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-AB
  1. Home
  2. virusinfo
  3. Archive
  4. 04-2004