![]() msgsvr32 winupd.exe direct.exe jijbl Video service DELETE ME Taskmon Explorer NetSky.P deletes the following Registry keys: ![]() This worm variant contains another insulting message for the author of Bagle worm. At least the last 9 keys (listed below) belong to earlier Bagle variants. NetSky.P worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. These 3 archives contain worm's executables with the following names: These files contain UUEncoded worm's executable file and ZIP archives (3 different variants). Additionally the worm drops the following files into Windows folder: Where %WinDir% represents Windows folder name. "Norton Antivirus AV" = "%WinDir%\fvprotect.exe".The worm adds a startup key for one of the dropped files into System Registry: Upon execution Netsky.P copies itself as FVPROTECT.EXE file to Windows folder and then extracts the main worm component as USERCONFIG9X.DLL to the same folder. Netsky.P was discovered on March 21st, 2004 Installation Netsky.P continues the ongoing feud with the Bagle worm's author. That file is a DLL, so Netsky authors started to use a new approach to installing the worm to a system. When the dropper is run, it extracts the main worm's file that is 26624 bytes long and is packed with a modified UPX file compressor. The worm's file is spread as a dropper that is a Windows PE executable 29568 bytes long, packed with FSG file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |