Virus netsky
Virus Netsky scans files on the infected computer for email addresses. It sends itself to the email addresses that it finds.
The virus installs itself on the victim machine as:
%WinDir%\WINLOGON.SCR (netsky.a)
%windir%\jammer2nd.exe (netsky.aa)
%WinDir%\COMP.CPL, %WinDir%\WSERVER.EXE (netsky.ac)
%windir%\SERVICES.EXE (netsky.b) (note: A valid file exists in the WINDOWS SYSTEM directory)
%Windir%\winlogon.exe (netsky.d)
%Windir%\Avpguard.exe (netsky.j)
%windir%\VisualGuard.exe (netsky.o)
%Windir%\AVBgle.exe (netsky.o)
%windir\fvprotect.exe (netsky.q)
%Windir%\SysMonXP.exe, %Windir%\Firewalllogger.txt (netsky.q)
%Windir%\PandaAVEngine.exe (netsky.r)
%Windir%\FirewallSvr.exe (netsky.y)
Note: %Windir% is a variable: The worm locates the Windows installation folder (by default,
this is C:\Windows or C:\Winnt) and copies itself to that location.
It adds the following values to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
to hook system startup:
"Skynetsrevenge" = %WinDir%\WINLOGON.SCR (netsky.a)
"Jammer2nd" = "%windir%\jammer2nd.exe" (netsky.aa)
"wserver" = %WinDir%\wserver.exe (netsky.ac)
"service" = %WinDir%\services.exe -serv (netsky.b)
"ICQ Net" = "%Windir%\winlogon.exe -stealth" (netsky.d)
"MyAV" = "%windir%\avpguard.exe -av serv" (netsky.j)
"NetDy" = "%windir%\VisualGuard.exe" (netsky.o)
"MSInfo" = "%Windir%\AVBgle.exe" (netsky.o)
"Norton Antivirus AV" = "%windir\fvprotect.exe" (netsky.q)
"SysMonXP" = "%Windir%\SysMonXP.exe" (netsky.q)
"PandaAVEngine" = "%Windir%\PandaAVEngine.exe" (netsky.r)
"FirewallSvr" = "%Windir%\FirewallSvr.exe" (netsky.y)
The worm copies itself to the folders which names contain the words "Share" or "Sharing."
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
