Win32:Netsky-B

is a worm, spreading as an email attachment or by P2P networks file sharing.

When executed, the worm displays faked error message "The file could not be opened!". Then it makes a copy of itself named "services.exe" in the folder [%Windir%]. It makes a registry item "service" with the value "%Windir%\services.exe -serv" in the key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The worm deletes a few records from the registry database (if the records exist). From the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
it deletes items "Explorer", "KasperskyAV" ,"Taskmon", "System". From the key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
it deletes items "Explorer", "Taskmon". It also deletes the whole key:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

All these registry records are created by another worms, they aren't important for the computer operation.

Win32:Netsky-B spreads by making copies of itself in the folders those names contains the words "Share" or "Sharing" in their names. Such folders are probably shared by some P2P network (such as Morpheus or Kazaa). The worm creates a number of copies with a different names in them. Except it, the worm sends oneself by email. The addresses for sending it finds in the files with the extensions "adb", "asp", "dbx", "doc", "eml", "htm", "html", "msg", "oft", "php", "pl", "rtf", "sht", "tbb", "txt", "uin", "vbs", "wab" on all local or mapped network disks. The "Subject", body of message and name, extension and size of attachment are variable. The From address is faked. The "Subject" of infected message is one of the following texts:
fake
hello
hi
information
read it immediately
something for you
stolen
unknown
warning

In the body message is one of the texts:
about me
anything ok?
do you?
from the chatter
greetings
here
here is the document
here it is
here, the serials
here, the introduction
here, the cheats
i'm waiting
i found this document about you
I have your password!
i hope it is not true!
information about you
is that from you?
is that true?
is that your account?
is that your name?
i wait for a reply!
kill the writer of this document!
misc
my hero
ok
read it immediately!
read the details
reply
see you
something about you!
something is fool
something is going wrong!
stuff about you?
take it easy
that is bad
that's funny
thats wrong
what does it mean?
why?
yes, really?
you are bad
you are a bad writer
you earn money
you feel the same
you try to steal
your name is wrong

The attachment can have either simple or doubled extension. The first extension is one of "doc", "htm", "rtf", "txt". The second (or the single one) extension is one of "com", "exe", "pif", "scr". A part of sent attachment has the extension "zip". The zip file is created with "zero compression". The unpacked file has both the extension and the name generated the same way as nonpacked files. The size of the attachment varry.

The attachment can have one of the names:
aboutyou
attachment
bill
concert
creditcard
details
dinner
disco
doc
document
final
found
friend
information
jokes
location
mail2
mails
me
message
misc
msg
nomoney
note
object
part2
party
posting
product
ps
ranking
release
shower
story
stuff
swimmingpool
talk
textfile
topseller
website

Removal:
To remove this virus please use free avast! Virus Cleaner.

avast! with VPS file dated on or after 18th February 2004 is able to detect this worm.

Refer: Avast