McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update August 16th, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update April 28, 2004 --
The assessment of this threat has been upgraded to Medium due to an increase in prevalence

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

• harvests email addresses from the victim machine
• contains its own SMTP engine to construct outgoing messages
• emails arrives as a PIF extension attachment
• spoofs the From: address

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .oft
• .php
• .ods
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)

• Correction 
• Hurts  
• Privacy
• Password   
• Wow
• Criminal   
• Pictures   
• Text   
• Money  
• Stolen 
• Found  
• Numbers
• Funny  
• Only
• love? 
• More
• samples   
• Picture
• Letter 
• Question   
• Illegal

Body: (selected from one of the following)

• Please use the font arial! 
• How can I help you?
• Still? 
• I've your password.
• Take it easy!  
• Why do you show your body? 
• Hey, are you criminal? 
• Your pictures are good!
• The text you sent to me is not so good!
• True love letter?  
• Do you have no money?  
• Do you have asked me?  
• I've found your creditcard.
• Check the data!
• Are your numbers correct?  
• You have no chance...  
• Wow! Why are you so shy?   
• Do you have more samples?  
• Do you have more photos about you? 
• Do you have written the letter?
• Does it hurt you?  
• Please do not sent me your illegal stuff again!!!  

Attachment: (PIF extensions with one of the following filenames)

• corrected_doc.pif  
• hurts.pif  
• document1.pif  
• passwords02.pif
• image034.pif   
• myabuselist.pif
• your_picture01.pif 
• your_text01.pif
• your_letter.pif
• your_bill.pif  
• my_stolen_document.pif 
• visa_data.pif  
• pin_tel.pif
• your_text.pif  
• loveletter02.pif   
• all_pictures.pif   
• your_letter_03.pif 
• your_picture.pif   
• abuses.pif 

The virus installs itself on the victim machine as CSRSS.EXE:

• %WinDir%\CSRSS.EXE

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "BagleAV" =  %WinDir%\CSRSS.EXE

Symptoms

• Outgoing DNS queries to one of the following hard-coded IP addresses:
  • 212.44.160.8   
  • 195.185.185.195
  • 151.189.13.35  
  • 213.191.74.19  
  • 193.189.244.205
  • 145.253.2.171  
  • 193.141.40.42  
  • 193.193.144.12 
  • 217.5.97.137   
  • 195.20.224.234 
  • 194.25.2.130   
  • 194.25.2.129   
  • 212.185.252.136
  • 212.185.253.70 
  • 212.185.252.73 
  • 62.155.255.16  
  • 194.25.2.134   
  • 194.25.2.133   
  • 194.25.2.132   
  • 194.25.2.131   
  • 193.193.158.10 
  • 212.7.128.165  
  • 212.7.128.162  
• Existence of the files and Registry keys detailed above

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users :
Use the specified DAT files for detection and removal.

Stinger
Stinger has been updated to assist in detecting and repairing this threat.

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan signatures that can detect the W32/Netsky.ab@MM virus are available from:

      -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-04-28
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
  -or-
• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

• Run the "ThreatScan Template Report"
• Look for module number #4066

McAfee System Compliance Profiler
Create a rule that matches a file

• Choose WINDOWS_DIR from the drop-down
• Type in CSRSS.EXE for the file name
• Choose "File does not exist" in the next drop-down

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update August 16th, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update April 28, 2004 --
The assessment of this threat has been upgraded to Medium due to an increase in prevalence

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

• harvests email addresses from the victim machine
• contains its own SMTP engine to construct outgoing messages
• emails arrives as a PIF extension attachment
• spoofs the From: address

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .oft
• .php
• .ods
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)

• Correction 
• Hurts  
• Privacy
• Password   
• Wow
• Criminal   
• Pictures   
• Text   
• Money  
• Stolen 
• Found  
• Numbers
• Funny  
• Only
• love? 
• More
• samples   
• Picture
• Letter 
• Question   
• Illegal

Body: (selected from one of the following)

• Please use the font arial! 
• How can I help you?
• Still? 
• I've your password.
• Take it easy!  
• Why do you show your body? 
• Hey, are you criminal? 
• Your pictures are good!
• The text you sent to me is not so good!
• True love letter?  
• Do you have no money?  
• Do you have asked me?  
• I've found your creditcard.
• Check the data!
• Are your numbers correct?  
• You have no chance...  
• Wow! Why are you so shy?   
• Do you have more samples?  
• Do you have more photos about you? 
• Do you have written the letter?
• Does it hurt you?  
• Please do not sent me your illegal stuff again!!!  

Attachment: (PIF extensions with one of the following filenames)

• corrected_doc.pif  
• hurts.pif  
• document1.pif  
• passwords02.pif
• image034.pif   
• myabuselist.pif
• your_picture01.pif 
• your_text01.pif
• your_letter.pif
• your_bill.pif  
• my_stolen_document.pif 
• visa_data.pif  
• pin_tel.pif
• your_text.pif  
• loveletter02.pif   
• all_pictures.pif   
• your_letter_03.pif 
• your_picture.pif   
• abuses.pif 

The virus installs itself on the victim machine as CSRSS.EXE:

• %WinDir%\CSRSS.EXE

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "BagleAV" =  %WinDir%\CSRSS.EXE

Symptoms

Symptoms -

• Outgoing DNS queries to one of the following hard-coded IP addresses:
  • 212.44.160.8   
  • 195.185.185.195
  • 151.189.13.35  
  • 213.191.74.19  
  • 193.189.244.205
  • 145.253.2.171  
  • 193.141.40.42  
  • 193.193.144.12 
  • 217.5.97.137   
  • 195.20.224.234 
  • 194.25.2.130   
  • 194.25.2.129   
  • 212.185.252.136
  • 212.185.253.70 
  • 212.185.252.73 
  • 62.155.255.16  
  • 194.25.2.134   
  • 194.25.2.133   
  • 194.25.2.132   
  • 194.25.2.131   
  • 193.193.158.10 
  • 212.7.128.165  
  • 212.7.128.162  
• Existence of the files and Registry keys detailed above

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users :
Use the specified DAT files for detection and removal.

Stinger
Stinger has been updated to assist in detecting and repairing this threat.

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan signatures that can detect the W32/Netsky.ab@MM virus are available from:

      -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-04-28
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
  -or-
• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

• Run the "ThreatScan Template Report"
• Look for module number #4066

McAfee System Compliance Profiler
Create a rule that matches a file

• Choose WINDOWS_DIR from the drop-down
• Type in CSRSS.EXE for the file name
• Choose "File does not exist" in the next drop-down

Variants

Variants -

N/A