Most WideSpread Computer Virus of 2009 - Win32/Netsky.Q

Being an executable type virus, Win32/Netsky.Q worm replicates itself and creates a file named FVProtect.exe in the windows directory. The size of the virus is about 29 KB. This virus also creates a dynamic library file necessary for its execution, with the name userconfig9x.dll, that is about 26KB long.

Home Users – LOW

Corporate Users – LOW

Infection Ratio is 0.024%, i.e. 1 out of 10000 PC’s are infected with this virus.

Filename: FVProtect.exe

Detection: Win32/Netsky.Q worm

Avast Win32 Netsky-CP

Avira Worm/Netsky.AP

BitDefender/Symantec/Microsoft Win32.Netsky.P@mm

Eset/AVG (GriSoft) Win32/Netsky.Q worm

Panda/Sophos W32/Netsky.P.worm

Although, Win32/Netsky.Q worm has a low risk rate, it still causes much change in the system that is enough to raise its threat level from low to high. You can call it a smart virus, since it creates a registry entry in Windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) by the name of Norton Antivirus AV. During Windows startup, the above registry is run that points to the executable file FVProtect.exe. When the worm executes, it removes the following entries from the registry of Windows.

%Current_User% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%Local_Machine% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%Current_User%\au.exe

%Current_User%\d3dupdate.exe

%Current_User%\direct.exe

%Current_User%\Explorer

%Current_User%\gouday.exe

%Current_User%\OLE

%Current_User%\rate.exe

%Current_User%\srate.exe

%Current_User%\ssate.exe

%Current_User%\sysmon.exe

%Current_User%\Taskmon

%Current_User%\Windows Services Host

%Current_User%\winupd.exe

%Local_Machine% \DELETE ME

%Local_Machine% \direct.exe

%Local_Machine% \Explorer

%Local_Machine% \jijbl

%Local_Machine% \msgsvr32

%Local_Machine% \sentry

%Local_Machine% \service

%Local_Machine% \System.

%Local_Machine% \Taskmon

%Local_Machine% \video

%Local_Machine% \Windows Services Host

%Local_Machine% \winupd.exe

These registry entries are responsible for running important services that windows require during startup. As a result, your system becomes useless, and you are not able to perform any kind of work. It also creates a list of zip files in windows directory like zip1.tmp, base64.tmp, zip2.tmp, zipped.tmp and zip3.tmp that it requires while composing email messages.

It also searches the computer system for certain strings which when found are replaced with other keywords like names of games, software’s, pictures, celebrities, etc and are given an executable form i.e. .exe extension is added at the end of every keyword replaced.

It also searches for all types of documents to extract email addresses from them. Some of the email addresses belonging to the antivirus companies are avoided during extraction. These email addresses are then used to spread the virus on p2p networks and the email subject and body is written in such a manner that 1 out of 100 users will definitely open the file and even execute it on his/her system infecting the entire network.

To remove this virus, you must use good antivirus software. I recommend ESET NOD32 antivirus and McAfee antivirus for removing this virus and other similar viruses.

Since, this virus creates executable files in every folder of the hard drive; you must disable system restore to clean up the restoration files. If you try to restore your computer after the system has been infected with Win32/Netsky.Q worm, you will have no success.