|W32/Netsky.AB is a mass mailing worm. This worm is a variant of W32/Netsky.Z.This worm infects Windows
systems and spreads through email. The infected email carries a spoofed 'From' address, picked up from
the infected system.
The subject of the infected email will be any one of the following;
The body of the infected email will be any one of the following;
True love letter?
Does it hurt you?
How can I help you?
You have no chance...
Your pictures are good!
Hey, are you criminal?
Do you have asked me?
Do you have no money?
Please use the font arial!
Why do you show your body?
Wow! Why are you so shy?
Do you have more samples?
Are your numbers correct?
Do you have written the letter?
I've your password. Take it easy!
Do you have more photos about you?
I've found your creditcard. Check the data!
Please do not sent me your illegal stuff again!!!
The text you sent to me is not so good!
The infected email has any one of the following attachments;
Upon execution of the infected attachment, the worm copies itself as csrss.exe in the Windows folder.
The worm also creates a mutex S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m to check the presence of the
worm in system memory.The worm modifies registry at the following location to run itself at the
To propagate itself, the worm scans the files having the following extensions and collects all the
available email addresses from the infected system;
.pl, .rtf, .oft, .txt, .uin, .jsp, .tbb, .cgi, .sht, .vbs, .doc, .dbx, .asp, .adb, .php, .htm,
.eml, .xml, .wab, .wsh, .msg, .html, .dhtm, .shtm The worm mails itself to these addresses using
its own SMTP engine.
This worm first appeared on April 28, 2004. Other names of W32/Netsky.AB Worm:
This worm is also known as Win32.Netsky.AB, W32.Netsky.AB@mm, W32/Netsky.ab@MM, NetSky.AB ,