Name : Services.exe
Path : %WINDOWS%\services.exe
[ please note that actual Windows services.exe
will load from %Windows%\System32 folder ]
Name : W32.Netsky.B@mm
Alias : I-Worm.Moodown.B,
W32/Netsky.b@MM , Netsky.B, W32/Netsky-B,
Mass mailing Internet worm
level : Medium
Services.exe is dropped
in Windows folder by Netsky.B. It is
a modified variant of Netsky.A worm. This mass
mailing worm spreads using e-mail addresses
collected from MSG, OFT, SHT, DBX, TBB, ADB, DOC,
WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT
and EML files to distribute infected messages. Netsky.b worm arrives as
an e-mail attachment. The infected attachment
name, message body and subject is randomly chosen
by the worm.
infected mail subject will be one of the
something for you
read it immediately
infected mail message body will be one of the
that your account?
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
take it easy
here, the cheats
here, the introduction
here, the serials
from the chatter
information about you
something is going wrong!
stuff about you?
here it is
that is bad
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your name?
is that true?
read it immediately!
here is the document.
read the details.
what does it mean?
infected mail sample is given below
When the worm file is
executed, it copies itself to Windows folder as
searches C to Z drives and copies itself to
folders containing the string "share"
or "sharing". This string search allows
the worm to spread using file sharing networks
like KaZaA . Then it modifies registry run
section to load automatically on the next startup.
The registry modification is given below.
"service"= %WINDOWS%\services.exe -serv
By default, %WINDOWS% will be C:\Windows in case
of Windows 95/98/ME/XP, C:\Winnt in case of
Windows NT/2000 ]
Netsky.B worm uses its
own SMTP engine to send infected messages. The
infected attachment may contain a binary file or
ZIP file. The worm also removes registry entries
created by Mydoom.A and Mydoom.B worm. Netsky.B
worm is detected on 18th February 2004.
How can I protect my
Solo has incorporated W32.Netsky.B@mm
infected services.exe in its signature file to
protect users from this worm attack. Solo
antivirus registered users are already protected
from this Worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
to remove this Worm?
you are already infected with W32.Netsky.B@mm infected
can remove it from your computer using Solo
Antivirus software. Use the
following link to Download 30 day trial
version of Solo antivirus to remove
viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts, Trojans,
Backdoors, boot sector, partition table and macro
purchase Solo antivirus using the link