F-Secure Virus Descriptions : NetSky.W

Summary

NetSky.W worm variant was discovered on April 16th, 2004.

Although it has been just discovered, this variant is much more similar to NetSky.P or NetSky.Q than to any of the later variants. In fact, its structure bears a striking resemblance to that of NetSky.P, so only some differences among them will be listed on this description.

This variant does not spread through P2P networks, as NetSky.P does.

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.W worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Back to the Top

Detailed Description

Installation to system

Upon execution Netsky.W copies itself as VisualGuard.exe file to the Windows folder. The worm adds a startup key for itself into System Registry:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "NetDy" = "%WinDir%\VisualGuard.exe"