Pin Me

Most WideSpread Computer Virus of 2009 - Win32/Netsky.Q

written by: PreciousJohnDoe•edited by: Bill Bunter•updated: 1/11/2011

Win32/Netsky.Q worm is an internet worm/virus that infects computer systems via. Email messages, p2p network or through network drives. This worm is an executable virus that spreads itself through email messages and other media that can be shared across different computers. Read more...

  • slide 1 of 6


    Being an executable type virus, Win32/Netsky.Q worm replicates itself and creates a file named FVProtect.exe in the windows directory. The size of the virus is about 29 KB. This virus also creates a dynamic library file necessary for its execution, with the name userconfig9x.dll, that is about 26KB long.

  • slide 2 of 6

    Risk Assessment

    Home Users – LOW

    Corporate Users – LOW

    Infection Ratio is 0.024%, i.e. 1 out of 10000 PC’s are infected with this virus.

  • slide 3 of 6

    Virus Characteristics

    Filename: FVProtect.exe

    Detection: Win32/Netsky.Q worm

    Length: 26KB – 29KB
  • slide 4 of 6

    Detection Names

    Avast Win32 Netsky-CP

    Avira Worm/Netsky.AP

    BitDefender/Symantec/Microsoft Win32.Netsky.P@mm

    Eset/AVG (GriSoft) Win32/Netsky.Q worm

    Panda/Sophos W32/Netsky.P.worm

  • slide 5 of 6

    How it Works

    Although, Win32/Netsky.Q worm has a low risk rate, it still causes much change in the system that is enough to raise its threat level from low to high. You can call it a smart virus, since it creates a registry entry in Windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) by the name of Norton Antivirus AV. During Windows startup, the above registry is run that points to the executable file FVProtect.exe. When the worm executes, it removes the following entries from the registry of Windows.

    %Current_User% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    %Local_Machine% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run












    %Current_User%\Windows Services Host


    %Local_Machine% \DELETE ME

    %Local_Machine% \direct.exe

    %Local_Machine% \Explorer

    %Local_Machine% \jijbl

    %Local_Machine% \msgsvr32

    %Local_Machine% \sentry

    %Local_Machine% \service

    %Local_Machine% \System.

    %Local_Machine% \Taskmon

    %Local_Machine% \video

    %Local_Machine% \Windows Services Host

    %Local_Machine% \winupd.exe

    These registry entries are responsible for running important services that windows require during startup. As a result, your system becomes useless, and you are not able to perform any kind of work. It also creates a list of zip files in windows directory like zip1.tmp, base64.tmp, zip2.tmp, zipped.tmp and zip3.tmp that it requires while composing email messages.

    It also searches the computer system for certain strings which when found are replaced with other keywords like names of games, software’s, pictures, celebrities, etc and are given an executable form i.e. .exe extension is added at the end of every keyword replaced.

    It also searches for all types of documents to extract email addresses from them. Some of the email addresses belonging to the antivirus companies are avoided during extraction. These email addresses are then used to spread the virus on p2p networks and the email subject and body is written in such a manner that 1 out of 100 users will definitely open the file and even execute it on his/her system infecting the entire network.

  • slide 6 of 6

    Removal Instructions

    To remove this virus, you must use good antivirus software. I recommend ESET NOD32 antivirus and McAfee antivirus for removing this virus and other similar viruses.

    Since, this virus creates executable files in every folder of the hard drive; you must disable system restore to clean up the restoration files. If you try to restore your computer after the system has been infected with Win32/Netsky.Q worm, you will have no success.