Win32.Netsky.Q@mm( W32/Netsky-Q )
SYMPTOMS: - presence of the following files in Windows directory (%WINDIR%):SysMonXP.exe Firewalllogger.txt - presence of the following entry SysMonXP = %WINDIR%\SysMonXP.exe in HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key TECHNICAL DESCRIPTION: The worm sends itself as an e-mail attachment to addresses found inthe infected computer. It copies itself in the Windows directory as SysMonXP.exe and drops to the same directory a DLL component: Firewalllogger.txt. It then sets the following registry key, so it will be executed each time Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP = %WINDIR%\SysMonXP.exe In 30/03/2004 it generates in the computer speaker sounds with different tones and durations Removal instructions: Automatic removalLet BitDefender delete the infected files. ANALYZED BY: Adrian Gostin BitDefender Virus Researcher |