How it works
Netsky.ab arrives as e-mail with a spoofed return address, a blank subject line, and blank body text. The attached file has a .pif extension and uses variable names.

If executed, Netsky.ab will add the following file to the Windows System folder:

• csrss.exe

Netsky.ab will also add the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run BagleAV = %Windows%\CSRSS.EXE

Netsky.ab will delete the following Registry items if the computer was previously infected with Bagle.z or Bagle.ab:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run SSGRATE.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run DRVSYS.EXE

Netsky.ab contains the following message within its code: Hey Bagle, feel our revenge!

Prevention
This variation of Netsky does not rely upon a specific Microsoft vulnerability but on simple social engineering. Remember to never open attached e-mail files without first saving them to the hard drive and scanning for known viruses. The latest signature file from your antivirus vendor should protect you against this Netsky variation. Additionally, the use of a personal firewall may prevent Netsky from communicating with the virus author.

Removal
Most antivirus software companies have updated their signature files to include these worms. These signature files will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.