Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

Netsky.C worm
Action on infection

By , About.com Guide

See More About:
Mar 2 2004
Netsky.C copies itself to the Windows folder as winlogon.exe and modifies the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, adding the value "ICQ Net" = "%Windir%\winlogon.exe -stealth" so that the worm will load when Windows is restarted. Note that %Windir% signifies the location of the directory to which Windows was installed. By default, depending on the operating system, this will be either C:\Windows or C:\WinNT. Note also that there is a valid, legitimate winlogon.exe file found in the Windows system folder.

Netsky.C deletes several registry key values associated with either the MyDoom.A, MyDoom.B or MyDoom.C worms. The values Sentry, OLE, service, au.exe, d3dupdate.exe, DELETE ME, msgsvr32, Taskmon, Explorer, Windows Services Host, KasperskyAV, and System are removed from the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The registry key HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 is also deleted by Netsky.C.

Netsky.C searches all mapped drives from C: to Z: and harvests email addresses from any files having one of the following extensions: .eml, .txt, .php, .pl, .htm, .html, .vbs, .rtf, .uin, .asp, .wab, .doc, .adb, .tbb, .dbx, .sht, .oft, .msg, .shtm, .cgi, and .dhtm. These harvested addresses are then used by the worm to send itself, with some being used as the spoofed From address.

Netsky.C will copy itself to any folder found having the string "shar" in its foldername. The worm copies will be named one of the following: opy_itself+1E[]o, Microsoft WinXP Crack.exe, Teen Porn 16.jpg.pif, Adobe Premiere 9.exe, Adobe Photoshop 9 full.exe, Best Matrix Screensaver.scr, Porno Screensaver.scr, Dark Angels.pif, XXX hardcore pic.jpg.exe, Microsoft Office 2003 Crack.exe, Serials.txt.exe, Screensaver.scr, Full album.mp3.pif, Ahead Nero 7.exe, Virii Sourcecode.scr, E-Book Archive.rtf.exe, Doom 3 Beta.exe, How to hack.doc.exe, Learn Programming.doc.exe, WinXP eBook.doc.exe, Win Longhorn Beta.exe, Dictionary English - France.doc.exe, RFC Basics Full Edition.doc.exe, 1000 Sex and more.rtf.exe, 3D Studio Max 3dsmax.exe, Keygen 4 all appz.exe, Windows Sourcecode.doc.exe, Norton Antivirus 2004.exe, Gimp 1.5 Full with Key.exe, Partitionsmagic 9.0.exe, Star Office 8.exe, Magix Video Deluxe 4.exe, Clone DVD 5.exe, MS Service Pack 5.exe, ACDSee 9.exe, Visual Studio Net Crack.exe, Cracks & Warez Archive.exe, WinAmp 12 full.exe, DivX 7.0 final.exe, Opera.exe, IE58.1 full setup.exe, Smashing the stack.rtf.exe, Ulead Keygen.exe, Lightwave SE Update.exe, and The Sims 3 crack.exe.

Next: Email characteristics

Explore Antivirus Software
About.com Special Features

Holiday Central

What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.