Win32.Netsky.Q@mm( W32/Netsky-Q )
SYMPTOMS: - presence of the following files in Windows directory (%WINDIR%):SysMonXP.exe Firewalllogger.txt - presence of the following entry SysMonXP = %WINDIR%\\SysMonXP.exe in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key TECHNICAL DESCRIPTION: The worm sends itself as an e-mail attachment to addresses found inthe infected computer. It copies itself in the Windows directory as SysMonXP.exe and drops to the same directory a DLL component: Firewalllogger.txt. It then sets the following registry key, so it will be executed each time Windows starts up: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SysMonXP = %WINDIR%\\SysMonXP.exe In 30/03/2004 it generates in the computer speaker sounds with different tones and durations Removal instructions: Automatic removalLet BitDefender delete the infected files. ANALYZED BY: Adrian GostinBitDefender Virus Researcher |