Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement



Process Name  : EasyAV.exe

Process Path : %WINDOWS%\EasyAV.exe [ C:\Windows\EasyAV.exe ]

Process type    : Internet Worm

Malware Name : W32.Netsky.T@mm

Alias             : W32/Netsky-P, W32/Netsky.P@MM , Netsky.P,   WORM_NETSKY.P, I-Worm.Netsky.P,  WORM_NETSKY.P, W32/Netsky-P, Win32.Netsky.P, Win32/Netsky.Q

Threat level : Medium

Process Details

                     EasyAV.exe is dropped by Netsky.T Worm. It is a modified variant of Netsky.S worm. Netsky.T worm arrives as an e-mail attachment. The infected attachment name, message body and subject is randomly chosen by the worm. 

The infected mail subject will be one of the following: 

e: Approved
Re: Hello
Re: Hi
Re: Important
Re: My details
Re: Request
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
Thank you!
Your details
Your document
Your information
My details

The infected mail message body will be one of the following


I have spent much time for the <random word>.
I have sent the <random word>.
I have found the <random word>.
Your file is attached to this mail.
My <random word>.
My <random word> is attached.
I have spent much time for your document.
Your <random word>. ˇYour <random word> is attached.
The requested <random word> is attached!
The <random word>.
The <random word> is attached.
See the document for details.
Please notice the attached document.
Please notice the attached <random word>.
Please have a look at the attached document.
Please have a look at the <random word>.
Note that I have attached your document.
Here is the document. ˇHere is the <random word>.
For more information see the attached document.
For more details see the attached document.
Approved, here is the document.
Please, <random word>.
Please see the <random word>.
Please read the attached document.
Please read the <random word>.
Please read quickly.

Yours sincerely
Thank you

The infected mail sample is given below

                     When the worm file is executed, it copies itself to Windows folder as "EasyAV.exe". Netsky.T modifies registry run section to load automatically on the next startup. The registry modification is given below.

"EasyAV"= %WINDOWS%\EasyAV.exe

[ By default, %WINDOWS% will be C:\Windows in case of Windows 95/98/ME/XP, C:\Winnt in case of Windows NT/2000 ]

                    Netsky.T worm uses its own SMTP engine to send infected messages. The worm also removes registry entries created by Mydoom.A and Mydoom.B worm. It opens port 6789 to allow access to the infected system.

                    This Worm is also known as I-Worm.NetSky.t, W32/Netsky.t@MM, Win32.HLLM.Netsky.based, W32/Netsky-T, Win32/Netsky.T@mm, WORM_NETSKY.T, Win32:Netsky-T, I-Worm/Netsky.T, Worm.SomeFool.Gen-2, W32/Netsky.T.worm, Win32/Netsky.T and Email-Worm.Win32.NetSky.t.

How can I protect my system?

                   Solo has incorporated detection for easyav.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with easyav process, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link