What is the Netsky.P worm?

Netsky.P is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file extension.

Also known as: WORM_Netsky.P, W32/Netsky.P@MM, W32/Netsky.P.worm, Win32.Netsky.P

How Does the Netsky.P Worm Infect My Computer?

When Netsky.P runs, it does the following:

1. Creates a mutex "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" to allow only one instance of the worm to execute.
   
   
2. Copies itself as %Windir%\FVProtect.exe.
   
   
3. Drops the following file:
   
   %Windir%\userconfig9x.dll
   
   Then, the worm loads and executes this file. It has a static MD5 hash value of 0x3018E99857F31A59E0777396AE634A8F.
   
   
4. Creates the following files:
   
   • %Windir%\base64.tmp (40,520 bytes): MIME-encoded version of the executable
   • %Windir%\zip1.tmp (40,882 bytes): MIME-encoded version of the worm in a .zip archive
   • %Windir%\zip2.tmp (40,894 bytes): MIME-encoded version of the worm in a .zip archive
   • %Windir%\zip3.tmp (40,886 bytes): MIME-encoded version of the worm in a .zip archive
   • %Windir%\zipped.tmp (29,834 bytes): Worm in a .zip archive
     
     
5. Adds the value:
   
   "Norton Antivirus AV"="%Windir%\FVProtect.exe"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm runs when you start Windows.
   
   
6. Deletes the values:
   
   • Explorer
   • system.
   • msgsvr32
   • winupd.exe
   • direct.exe
   • jijbl
   • service
   • Sentry
     
     from the registry key:
     
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
     
7. Deletes the values:
   
   • system.
   • Video
     
     from the registry key:
     
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
     
     
8. Deletes the values:
   
   • Explorer
   • au.exe
   • direct.exe
   • d3dupdate.exe
   • OLE
   • gouday.exe
   • rate.exe
   • Taskmon
   • Windows Services Host
   • sysmon.exe
   • srate.exe
   • ssate.exe
   • winupd.exe
     
     from the registry key:
     
     HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
     
9. Deletes the following subkeys:
   
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
     Explorer\PINF
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
   • HKEY_CLASSES_ROOT\CLSID\CLSID\
     {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
     
     
10. Scans the hard drive for folders that contain the following strings:
    
    • bear
    • donkey
    • download
    • ftp
    • htdocs
    • http
    • icq
    • kazaa
    • lime
    • morpheus
    • mule
    • my shared folder
    • shar
    • shared files
    • upload
      
      and copies the worm into that folder with the following file names:
      
    • "1001 Sex and more.rtf.exe"
    • "3D Studio Max 6 3dsmax.exe"
    • "ACDSee 10.exe"
    • "Adobe Photoshop 10 crack.exe"
    • "Adobe Photoshop 10 full.exe"
    • "Adobe Premiere 10.exe"
    • "Ahead Nero 8.exe"
    • "Altkins Diet.doc.exe"
    • "American Idol.doc.exe"
    • ......
      
      
11. Retrieves the email addresses from the files on drives C through Z if the files have any of these file extensions:
    
    • .adb
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .html
    • .jsp
    • .msg
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab
    • .wsh
    • .xml
      
      
12. Uses its own SMTP engine to send itself to the email addresses it finds.
    
    The email subject, body, and attachment are constructed from many possible combinations. In an attempt to get the recipient to open the attachment, the subject and message may:

• Suggest that the attachment is a detail message, photo, document, archive, report, bill, and so on.
• Claim that the recipient's computer is infected and that the attachment is to be a scanner or an update from an antivirus publisher, including Symantec.
• Warn the recipient that he/she has used an illegal Web site, software crack, or has sent spam.
• Suggest that the attached zip file is password-protected. (This is not true for the samples that Security Response has seen to date.)
  
  

  13. The worm avoids sending to the email addresses that contain any of the following strings:

• @antivi
• @avp
• @bitdefender
• @fbi
• @f-pro
• @freeav
• @f-secur
• @kaspersky
• @mcafee
• @messagel
• @microsof
• @norman
• @norton
• @pandasof
• @skynet
• @sophos
• @spam
• @symantec
• @viruslis
• abuse@
• noreply@
• ntivir
• reports@
• spam@

How to Remove the Netsky.P Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Netsky.P during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Netsky.P worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Updating the Virus Definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

3. Identifying the Virus Program

1. Scan your system with your Kaspersky antivirus products.
2. NOTE all files detected as Netsky.P.

4. Terminating the Running Program

1. Open Windows Task Manager.
   On Windows 95/98/ME systems, press
   CTRL+ALT+DELETE
   On Windows NT/2000/XP systems, press
   CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file or files detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

5. Removing Autostart Entries from the Registry

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries:
   Norton Antivirus AV = "%Windows%\FVProtect.exe"
   Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
4. Close Registry Editor.

6. Run a full system scan and delete all the files detected as Netsky.P.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Netsky.P, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: