Worm: Win32.HLLM.Netsky
- Virus type: Family of mass-mailing worm
- Affects: Windows 95 and up
- Other names for Win32.HLLM.Netsky: W32/Netsky, I-Worm.Netsky, Moodown
Description
Win32.HLLM.Netsky is a family of mass-mailing worms that spread by email using addresses obtained from the infected computer. They have their own SMTP delivery engine that sends infected messages directly to the recipient's mail server. They also spread via local networks by trying to copy virus files to shared folders on drives C: to Z:. The worms randomly select an address as the "From:" address: therefore the apparent sender of the infected email is not the real sender and their computer is probably not infected.
The subject header of the message is randomly chosen from a large number of strings. The message text is also randomly chosen. In most cases, the message is meant to look like a system generated message, such as an error report from a mail server.
The worm is contained in an executable file attachment, whose name is also chosen from a large number of possible names. It may or may not have a double extension (like mp3.pif) and it may be contained in a Zip or Rar archive, which in some variants may be password protected.
When activated, the worm may display a message. The worm then copies itself to the hard disk and installs a Registry entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (or possibly HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) so that it is run automatically at startup. The worm then executes this file in order to propagate using the methods described above.
Win32.HLLM.Netsky variants remove certain registry values, if present, in order to deactivate some earlier viruses. Some variants may initiate a denial-of-service attack on certain websites at certain periods, others can be used as a backdoor into the system if not blocked by a firewall.
Some variants install an FTP server and a web server on the infected computer, which can be used by an attacker to obtain information about the system or install other malicious software, once alerted by an email sent by the virus.
Prevention
To prevent another infection by Win32.HLLM.Netsky worms or similar viruses:
- Be suspicious of emails from unknown sources containing executable attachments. See How to detect Internet worms.
- Use a good anti-virus such as Kaspersky AntiVirus or Dr.Web anti-virus.
Removal
Manual removal
To remove a Win32.HLLM.Netsky infection manually:
- Use a virus scanner to determine the identity of the executable file containing the worm (which has a randomly generated filename).
- Restart Windows in safe mode.
- Using the Registry Editor, expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and/or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and delete the entry whose value contains the path to the worm file as determined above. In many variants of the Win32.HLLM.Netsky worm, the name of this registry entry is chosen to look as if it is an antivirus service.
- Restart Windows.
- Disable System Restore, in order that copies of the worm are not saved to the restore folder. (Note: this may cause Windows to restart and you will lose your earlier restore points.)
- Update and run your virus scanner to remove the worm files from the system.
- Re-enable System Restore and force a restore point.
Automated removal
To remove the virus Win32.HLLM.Netsky please see our tutorial Help! I've got a virus!
Professional hands-on removal
If you are not confident about being able to remove the Trojan yourself, you can purchase the Virus Removal and Computer Tune-Up package and a professional technician will connect to your computer via your Internet connection and remove it for you.