Skip to content

Export page to PDF
WORM_NETSKY.P
Aliases: Worm:Win32/Netsky.P@mm (Microsoft), W32/Netsky.p@MM (McAfee), W32.Netsky.P@mm (Symantec)
Malware type: Worm
Destructive: No
Platform: Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
In the wild: Yes

Overview


This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Technical Details


File size: 29,592 bytes
File type: EXE
Memory resident: Yes
Initial samples received date: 08 Apr 2009

Arrival Details

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives via peer-to-peer (P2P) shares.

It may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following component file(s):

  • %Windows%\USERCONFIG9X.DLL
  • %Windows%\zip1.tmp
  • %Windows%\zip2.tmp
  • %Windows%\zip3.tmp
  • %Windows%\base64.tmp
  • %Windows%\zipped.tmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • %Windows%\FVPROTECT.EXE

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Norton Antivirus AV = "%Windows%\FVProtect.exe"

Other System Modifications

This worm deletes the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
InProcServer32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Explorer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
OLE

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Taskmon

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Windows Services Host

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
au.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
d3dupdate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
direct.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
gouday.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
rate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
srate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
ssate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
sysmon.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
winupd.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
PINF

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices\
Video

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices\
system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
DELETE ME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Sentry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Taskmon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Video

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Windows Services Host

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
direct.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
jijb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
msgsvr32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
service

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
winupd.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\WksPatch

Propagation

This worm drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

  • my shared folder
  • download
  • ftp
  • htdocs
  • http
  • upload
  • shar
  • icq
  • bear
  • lime
  • morpheus
  • donkey
  • mule
  • kazaa
  • shared files

It uses the following file names for the copies it drops into shared networks:

  • 1001 Sex and more.rtf.exe
  • 3D Studio Max 6 3dsmax.exe
  • ACDSee 10.exe
  • Adobe Photoshop 10 crack.exe
  • Adobe Photoshop 10 full.exe
  • Adobe Premiere 10.exe
  • Ahead Nero 8.exe
  • Altkins Diet.doc.exe
  • American Idol.doc.exe
  • Arnold Schwarzenegger.jpg.exe
  • Britney Spears Sexy archive.doc.exe
  • Britney Spears Song text archive.doc.exe
  • Britney Spears and Eminem porn.jpg.exe
  • Britney Spears blowjob.jpg.exe
  • Britney Spears cumshot.jpg.exe
  • Britney Spears fuck.jpg.exe
  • Britney Spears full album.mp3.exe
  • Britney Spears porn.jpg.exe
  • Britney Spears.jpg.exe
  • Britney Spears.mp3.exe
  • Britney sex xxx.jpg.exe
  • Clone DVD 6.exe
  • Cloning.doc.exe
  • Cracks & Warez Archiv.exe
  • Dictionary English 2004 - France.doc.exe
  • DivX 8.0 final.exe
  • Doom 3 release 2.exe
  • E-Book Archive2.rtf.exe
  • Eminem Poster.jpg.exe
  • Eminem Sexy archive.doc.exe
  • Eminem Song text archive.doc.exe
  • Eminem Spears porn.jpg.exe
  • Eminem blowjob.jpg.exe
  • Eminem full album.mp3.exe
  • Eminem sex xxx.jpg.exe
  • Eminem.mp3.exe
  • Gimp 1.8 Full with Key.exe
  • Harry Potter 1-6 book.txt.exe
  • Harry Potter 5.mpg.exe
  • Harry Potter all e.book.doc.exe
  • Harry Potter e book.doc.exe
  • Harry Potter game.exe
  • Harry Potter.doc.exe
  • How to hack new.doc.exe
  • Internet Explorer 9 setup.exe
  • Kazaa new.exe
  • Keygen 4 all new.exe
  • Learn Programming 2004.doc.exe
  • Lightwave 9 Update.exe
  • MS Service Pack 6.exe
  • Magix Video Deluxe 5 beta.exe
  • Matrix.mpg.exe
  • Microsoft Office 2003 Crack best.exe
  • Microsoft WinXP Crack full.exe
  • Norton Antivirus 2005 beta.exe
  • Opera 11.exe
  • Partitionsmagic 10 beta.exe
  • RFC compilation.doc.exe
  • Ringtones.doc.exe
  • Ringtones.mp3.exe
  • Saddam Hussein.jpg.exe
  • Serials edition.txt.exe
  • Smashing the stack full.rtf.exe
  • Star Office 9.exe
  • The Sims 4 beta.exe
  • Ulead Keygen 2004.exe
  • Visual Studio Net Crack all.exe
  • Win Longhorn re.exe
  • WinAmp 13 full.exe
  • WinXP eBook newest.doc.exe
  • Windows 2000 Sourcecode.doc.exe
  • Windows 2003 crack.exe
  • Windows XP crack.exe
  • XXX hardcore pics.jpg.exe
  • Kazaa Lite 4.0 new.exe

Solution


Minimum scan engine: 9.300
VSAPI OPR Pattern Version: 5.883.00
VSAPI OPR Pattern Release Date: 08 Apr 2009

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and terminate files detected as WORM_NETSKY.P

[ Learn more ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Delete this registry value

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


 
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Norton Antivirus AV = "%Windows%\FVProtect.exe"

Step 4

Search and delete these files

[ Learn more ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\USERCONFIG9X.DLL
  • %Windows%\zip1.tmp
  • %Windows%\zip2.tmp
  • %Windows%\zip3.tmp
  • %Windows%\base64.tmp
  • %Windows%\zipped.tmp

Step 5

Scan your computer with your Trend Micro product to delete files detected as WORM_NETSKY.P. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 6

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.


  • In HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
    • InProcServer32
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Explorer
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • OLE
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Taskmon
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Windows Services Host
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • au.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • d3dupdate.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • direct.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • gouday.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • rate.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • srate.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • ssate.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • sysmon.exe
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • winupd.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • PINF
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • Video
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • system.
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • DELETE ME
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Explorer
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Sentry
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Taskmon
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Video
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Windows Services Host
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • direct.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • jijb
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • msgsvr32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • service
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • system.
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • winupd.exe


Did this description help? Tell us how we did.
Analysis By: Mark Joseph Manahan

Connect with us on