Detection Published: March 21, 2004
Description Modified: March 25, 2004
Category: Win32
Also known as: ZIP.Netsky.P, Win32/Netsky.P.Worm, W32/Netsky.P@mm (F-Secure), W32/Netsky.p@MM (McAfee), I-Worm.Netsky.q (Kaspersky)
Netsky.P is a worm that spreads through e-mail and file sharing. It is distributed as a 29,568 byte Win32 executable, compressed with FSG, which drops a 26,624 byte DLL file. It also distributes itself inside ZIP archives.
Netsky.P arrives in the form of a 29,568 byte "dropper", which creates and loads a DLL file containing the bulk of the worm code.
When run, the dropper creates a mutex called "'D'r'o'p'p'e'd'S'k'y'N'e't'", to avoid running multiple copies of itself.
It copies itself to
%Windows%\FVProtect.exe
It also decrypts the DLL stored inside its own file, and writes the result to:
%Windows%\userconfig9x.dll
It then calls the first (and only) function in the DLL. The DLL then takes over.
The worm creates a registry value in order to run the dropper each time Windows starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "%Windows%\FVProtect.exe"
More:http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38650
 | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
General discussion
Win32.Netsky.P
Discussion is locked
CNET Forums
Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Roadshow Autos
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic