How it Works
Although, Win32/Netsky.Q worm has a low risk rate, it still causes much change in the system that is enough to raise its threat level from low to high. You can call it a smart virus, since it creates a registry entry in Windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) by the name of Norton Antivirus AV. During Windows startup, the above registry is run that points to the executable file FVProtect.exe. When the worm executes, it removes the following entries from the registry of Windows.
%Current_User% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%Local_Machine% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%Current_User%\Windows Services Host
%Local_Machine% \DELETE ME
%Local_Machine% \Windows Services Host
These registry entries are responsible for running important services that windows require during startup. As a result, your system becomes useless, and you are not able to perform any kind of work. It also creates a list of zip files in windows directory like zip1.tmp, base64.tmp, zip2.tmp, zipped.tmp and zip3.tmp that it requires while composing email messages.
It also searches the computer system for certain strings which when found are replaced with other keywords like names of games, software’s, pictures, celebrities, etc and are given an executable form i.e. .exe extension is added at the end of every keyword replaced.
It also searches for all types of documents to extract email addresses from them. Some of the email addresses belonging to the antivirus companies are avoided during extraction. These email addresses are then used to spread the virus on p2p networks and the email subject and body is written in such a manner that 1 out of 100 users will definitely open the file and even execute it on his/her system infecting the entire network.