Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Win32.Netsky.P

Mar 24, 2004 2:39PM PST

Detection Published: March 21, 2004
Description Modified: March 25, 2004

Category: Win32
Also known as: ZIP.Netsky.P, Win32/Netsky.P.Worm, W32/Netsky.P@mm (F-Secure), W32/Netsky.p@MM (McAfee), I-Worm.Netsky.q (Kaspersky)

Netsky.P is a worm that spreads through e-mail and file sharing. It is distributed as a 29,568 byte Win32 executable, compressed with FSG, which drops a 26,624 byte DLL file. It also distributes itself inside ZIP archives.

Netsky.P arrives in the form of a 29,568 byte "dropper", which creates and loads a DLL file containing the bulk of the worm code.

When run, the dropper creates a mutex called "'D'r'o'p'p'e'd'S'k'y'N'e't'", to avoid running multiple copies of itself.

It copies itself to

%Windows%\FVProtect.exe

It also decrypts the DLL stored inside its own file, and writes the result to:

%Windows%\userconfig9x.dll

It then calls the first (and only) function in the DLL. The DLL then takes over.

The worm creates a registry value in order to run the dropper each time Windows starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "%Windows%\FVProtect.exe"

More:http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38650

Discussion is locked