Home / malwarePDF  

Win32.Netsky.AC@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Netsky.AC@mm is also known as Netsky.AB.

Explanation :

This mass-mailer was compiled with Visual C++ 6 and packed with a custom algorithm. It arrives in an email in the following format:

From: (forged email address)
Subject / Body / Attachment: one of these combinations:

- Illegal / Please do not sent me your illegal stuff again!!! / abuses.pif
- Question / Does it hurt you? / your_picture.pif
- Letter / Do you have written the letter? / your_letter_03.pif
- Picture / Do you have more photos about you? / all_pictures.pif
- More samples / Do you have more samples? / your_picture.pif
- Only love? / Wow! Why are you so shy? / loveletter02.pif
- Funny / You have no chance... / your_text.pif
- Numbers / Are your numbers correct? / pin_tel.pif
- Found / I've found your creditcard. Check the data! / visa_data.pif
- Stolen / Do you have asked me? / my_stolen_document.pif
- Money / Do you have no money? / your_bill.pif
- Letter / True love letter? / your_letter.pif
- Text / The text you sent to me is not so good! / your_text01.pif
- Pictures / Your pictures are good! / your_picture01.pif
- Criminal / Hey, are you criminal? / myabuselift.pif
- Wow / Why do you show your body? / image034.pif
- Password / I've your password. Take it easy! / passwords02.pif
- Privacy / Still? / document1.pif
- Hurts / How can I help you? / hurts.pif
- Correction / Please use the font arial! / corrected_doc.pif

The virus uses a mutex called S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m to avoid running two copies of itself. It copies itself as csrss.exe in the Windows folder and creates the registry entry HKLMSoftwareMicrosoftWindowsCurrentVersionRunBagleAV in order to run at every logon. It also deletes the registry entries ssgrate.exe and drvsys.exe from the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key in order to uninstall Bagle.W and Bagle.Z.

It creates a thread that scans non CD-ROM drives C: to Z: to harvest email addresses from files with extensions: .eml, .txt, .php, .cfg, .mbx, .mdx, .asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx, .pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml, .mht, .mmf, .nch, .ppt.

Email addresses containing any of the following substrings will be avoided: icrosoft, antivi, ymantec, spam, avp, f-secur, itdefender, orman, cafee, aspersky,
f-pro, orton, fbi, abuse, messagelab, skynet, andasoftwa, freeav, sophos, antivir, iruslis.

It creates 8 threads to send emails to addresses in the list. The virus attempts to get the IP of the email server of the destination email address (by performing MX lookup on the user's configured DNS or one of the following hardcoded DNS's: 212.7.128.162, 212.7.128.165, 193.193.158.10, 194.25.2.131, 194.25.2.132, 194.25.2.133, 194.25.2.134, 62.155.255.16, 212.185.252.73, 212.185.253.70, 212.185.252.136, 194.25.2.129, 194.25.2.130, 195.20.224.234, 217.5.97.137, 194.25.2.129, 193.193.144.12, 193.141.40.42, 145.253.2.171, 193.189.244.205, 213.191.74.19, 151.189.13.35, 195.185.185.195, 195.185.185.195, 212.44.160.8).

The "from" field is forged with a random email address in the list. Before scanning the drives for emails, the list is initialized with the hardcoded address xdfggra@yahoo.com.

Although the virus sets a flag for each email address that one thread is sending a message to, in order to avoid other threads from using that address again, it is possible for an email address to be targeted twice (if a thread is interrupted after it chooses its target and before it sets the flag).

The following text appears in the virus: Hey Bagle, feel our revenge!

Last update 21 November 2011

 

TOP