Secure Most Provide you most reliable security utilities!
Home Articles File Center Privacy Contact us Links
Now Position: Home>Tech Articles>Free Invasion from Worms
How to Detect and Remove Netsky.O Worm?
What is the Netsky.O worm?

Netsky.O is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

Also known as: WORM_Netsky.O, W32/Netsky.O@MM, W32/Netsky.O.worm, Win32.Netsky.O

How Does the Netsky.O Worm Infect My Computer?

When Netsky.O runs, it does the following:

  1. Creates a mutex to allow only one instance of the worm to execute.

  2. Copies itself as %Windir%\AVBgle.exe.

  3. Creates the file, %Windir%\base64.bmp (22,456 bytes), which is a MIME64_encoded worm.

  4. Adds the value:

    "MSInfo"="%Windir%\AVBgle.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  5. Deletes these values:

    Explorer
    system.
    msgsvr32
    au.exe
    service
    DELETE ME
    d3dupdate.exe
    Sentry
    Taskmon
    Windows Services Host

    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run

  6. Deletes the value: system.

    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices

  7. Deletes these values:

    Explorer
    OLE
    gouday.exe
    rate.exe
    Taskmon
    Windows Services Host
    sysmon.exe
    srate.exe
    ssate.exe

    from the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  8. Deletes the value:

    InProcServer32

    from the registry key:

    HKEY_CLASSES_ROOT\CLSID\CLSID\
    {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

  9. Deletes the following subkeys:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\PINF
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
  10. Retrieves email addresses from the files with these extensions on drives C to Z :
    • .adb
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .html
    • .jsp
    • .msg
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab
    • .wsh
    • .xml

  11. Uses its own SMTP engine to send itself to the email addresses it finds.
How to Remove the Netsky.O Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Netsky.O during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Netsky.O worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Updating the Virus Definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

3. Removing Autostart Entries from the Registry

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    MSInfo = "%WindowsS%\AVBgle.exe"
    Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
  4. Close Registry Editor.

4. Run a full system scan and delete all the files detected as Netsky.O.

  1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with Netsky.O, click Delete.
How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

  1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
  2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
  3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  4. Keep your permanent antivirus protection enabled at all times.
Detect and Removal Instruction for Other Variants:
More Detection and Removal Instructions for Worms
Post Comment



Enter security code:

User Comments
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)
Sign up for free up-to-date messages about your PC's security & privacy:
              Email
Confirm email
     Your Name    
 Anti-Keylogger  Password Pecovery
 Anti-Spam  PC Monitoring
 Anti-Spyware  Personal Firewall
 Anti-Virus  System Tools
 Online Privacy    
PQ DVD to iPod Video Suite
PQ DVD to iPod Video Suite (PQ DVD to iPod + iPod Video Converter) is a One-Click, All-In-One solution to convert DVD, Tivo, DivX, MPEG, WMV, AVI, RealMedia and many more to iPod Video ...
Kaspersky Internet Security
Internet Security processes all incoming and outgoing data on your computer, including email, Internet traffic and network interaction, without the need for additional security applications ...
Cucusoft MPEG/AVI to DVD/VCD/SVCD Converter Pro
It enables you to convert and burn any video file directly to VCD, DVD, SVCD, MPEG1 and MPEG2 format. Pro version included all the features of the lite version ...
FREE Spyware Scan! SpyNoMore
SpyNoMore scans, cleans and blocks spyware as well as any other good anti-spyware product, but with one big advantage, Custom Fix (patent pending). Spyware programs are growing more sophisticated by the day ...
Copyright ©2003-2009 SecureMost.com. All other trademarks are the sole property of their respective owners.