Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


SERVICES.EXE PROCESS INFORMATION

Process Name  : Services.exe

Process Path : %WINDOWS%\services.exe [ please note that actual Windows services.exe will load from %Windows%\System32 folder ]

Malware Name  : W32.Netsky.B@mm

Alias             : I-Worm.Moodown.B, W32/Netsky.b@MM , Netsky.B, W32/Netsky-B,  WORM_NETSKY.B 

Process Type    : Mass mailing Internet worm

Threat level : Medium

Process details :

                     Services.exe is dropped in Windows folder by Netsky.B. It is a modified variant of Netsky.A worm. This mass mailing worm spreads using  e-mail addresses collected from MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML files to distribute infected messages. Netsky.b worm arrives as an e-mail attachment. The infected attachment name, message body and subject is randomly chosen by the worm. 

The infected mail subject will be one of the following: 

stolen
unknown
fake
information
warning
something for you
read it immediately
hello 

The infected mail message body will be one of the following

is that your account?
anything ok? 
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
what does it mean?

The infected mail sample is given below

                     When the worm file is executed, it copies itself to Windows folder as "services.exe". Netsky.b searches C to Z drives and copies itself to folders containing the string "share" or "sharing". This string search allows the worm to spread using file sharing networks like KaZaA . Then it modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"service"= %WINDOWS%\services.exe -serv

[ By default, %WINDOWS% will be C:\Windows in case of Windows 95/98/ME/XP, C:\Winnt in case of Windows NT/2000 ]

                    Netsky.B worm uses its own SMTP engine to send infected messages. The infected attachment may contain a binary file or ZIP file. The worm also removes registry entries created by Mydoom.A and Mydoom.B worm. Netsky.B worm is detected on 18th February 2004. 

How can I protect my system?

                   Solo has incorporated W32.Netsky.B@mm infected services.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with W32.Netsky.B@mm infected services.exe, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link