All NetSky's variants

• Email-Worm.Win32.NetSky.q[Kaspersky Lab]
• Email-Worm.Win32.NetSky.z [Kaspersky Lab]
  
• Email-Worm.Win32.NetSky.q [Kaspersky Lab]
• Email-Worm.Win32.NetSky.r [Kaspersky Lab]
• ...
  
• Backdoor.Win32.IRCBot.alo [Kaspersky Lab]
  
• Worm.Feebs!sd5 [PCTools]
  
• Email-Worm.NetSky [PCTools]
  
• Email-Worm.NetSky!sd5 [PCTools]
  
• I-Worm.Netsky.Q2 [PCTools]
  
• W32.Netsky.gen@mm [Symantec]
  
• W32.Netsky.dam [Symantec]
  
• W32.Netsky.P@mm [Symantec]
  
• W32.Netsky.Y@mm [Symantec]
• ...
  
• W32/Feebs.gen [McAfee]
  
• W32/Opanki.worm.gen [McAfee]
  
• W32/Netsky.gen@MM [McAfee]
  
• W32/Netsky.y@MM [McAfee]
  
• W32/Netsky.p@MM[McAfee]
• ...
  
• WORM_FEEBS.KV [Trend Micro]
  
• WORM_NETsky.dam [Trend Micro]
  
• WORM_NETSKY.P[Trend Micro]
  
• WORM_NETSKY.BN [Trend Micro]
• ...

All lists are non-exhaustive.

The virus uses the network and the Internet to spread, it can also enter through the ports used by the system of peer-to-peer sharing.
Can send emails using SMTP.
Able to communicate with a remote machine using the SMTP protocol.

The fix removes NetSky and all its variants.

The virus puts files in the system directory

• nmvcs.exe
  
• LegitCheckControl.dll
  
• WgaLogon.dll
  
• WgaTray.exe
  
• ddcbxxv.dll
  
• WGA.exe
  
• winini.exe
  
• opnnljj.dll
  
• msij32.dll
  
• msoo.exe
  
• remote.exe
  
• vcmgcd32.dll
  
• defender.exe
  
• vcmgcd32.dl_
  
• msed32.dll
  
• mslz.exe
  
• msoi.exe
  
• mspi32.dll
  
• keymaker.exe
  
• winini.exe

Other files in Windows directory

• FVProtect.exe
• base64.tmp
  
• userconfig9x.dll
  
• zip1.tmp
  
• zip2.tmp
  
• winsystem.exe
  
• FirewallSvr.exe
  
• zip3.tmp
  
• fuck_you_bagle.txt
  
• uinmzertinmds.opm
  
• winini.exe
  
• winlogon.scr
  
• zipped.tmp
  
• EasyAV.exe
  
• netstats.exe
  
• system.dll.exe
  
• Jammer2nd.exe
  
• attachment.zip
  
• services.exe
  
• winlogs.exe

In the temporary directory

• UYF4E7\installer.bat
  
• UYF4E7\LegitCheckControl.dll
  
• UYF4E7\WgaLogon.dll
  
• UYF4E7\WgaTray.exe
  
• IXP000.TMP\keymaker.exe
  
• Data.txt .exe
  
• 7C56B4F2.EXE
• *.zip
• *.tmp
  

Possible process of the virus are

• FVProtect.exe
  
• netstats.exe
  
• system.dll.exe
  
• defender.exe
  
• winini.exe
  
• FirewallSvr.exe
  
• msoi.exe
  
• keymaker.exe
  
• is151287.exe
  
• 7C56B4F2.EXE
  
• qpfu.exe
  
• winlogon.scr
  
• trvp.exe
  
• WGA.exe
  
• msoo.exe
  
• remote.exe
  
• nmvcs.exe
  
• winsystem.exe
  
• 1001 Sex and more.rtf.exe
  
• 3D Studio Max 6 3dsmax.exe
  
• ACDSee 10.exe
  
• Adobe Photoshop 10 crack.exe
  
• Adobe Photoshop 10 full.exe
  
• Adobe Premiere 10.exe
  
• Ahead Nero 8.exe
  
• Altkins Diet.doc.exe
• American Idol.doc.exe
  
• Arnold Schwarzenegger.jpg.exe
  
• Best Matrix Screensaver new.scr
  
• Britney sex xxx.jpg.exe
  
• Britney Spears and Eminem porn.jpg.exe
  
• Britney Spears blowjob.jpg.exe
  
• Britney Spears cumshot.jpg.exe
  
• Britney Spears fuck.jpg.exe
  
• Britney Spears full album.mp3.exe
  
• Britney Spears porn.jpg.exe
  
• Britney Spears Sexy archive.doc.exe
  
• Britney Spears Song text archive.doc.exe
  
• Britney Spears.jpg.exe
  
• Britney Spears.mp3.exe
  
• Clone DVD 6.exe
  
• Cloning.doc.exe
  
• Cracks & Warez Archiv.exe
  
• Dark Angels new.pif
  
• Dictionary English 2004 - France.doc.exe
  
• DivX 8.0 final.exe
  
• Doom 3 release 2.exe
  
• E-Book Archive2.rtf.exe
  
• Eminem blowjob.jpg.exe
  
• Eminem full album.mp3.exe
  
• Eminem Poster.jpg.exe
  
• Eminem sex xxx.jpg.exe
  
• Eminem Sexy archive.doc.exe
  
• Eminem Song text archive.doc.exe
  
• Eminem Spears porn.jpg.exe
  
• Eminem.mp3.exe
  
• Full album all.mp3.pif
  
• Gimp 1.8 Full with Key.exe
  
• Harry Potter 1-6 book.txt.exe
  
• Harry Potter 5.mpg.exe
  
• Harry Potter all e.book.doc.exe
  
• Harry Potter e book.doc.exe
  
• Harry Potter game.exe
  
• Harry Potter.doc.exe
  
• How to hack new.doc.exe
  
• Internet Explorer 9 setup.exe
  
• Kazaa Lite 4.0 new.exe
  
• Kazaa new.exe
  
• Keygen 4 all new.exe
  
• Learn Programming 2004.doc.exe
  
• Lightwave 9 Update.exe
  
• Magix Video Deluxe 5 beta.exe
  
• Matrix.mpg.exe
  
• Microsoft Office 2003 Crack best.exe
  
• Microsoft WinXP Crack full.exe
  
• MS Service Pack 6.exe
  
• netsky source code.scr
  
• Norton Antivirus 2005 beta.exe
  
• Opera 11.exe
  
• Partitionsmagic 10 beta.exe
  
• Porno Screensaver britney.scr
  
• RFC compilation.doc.exe
  
• Ringtones.doc.exe
  
• Ringtones.mp3.exe
  
• Saddam Hussein.jpg.exe
  
• Screensaver2.scr
  
• Serials edition.txt.exe
  
• Smashing the stack full.rtf.exe
  
• Star Office 9.exe
  
• Teen Porn 15.jpg.pif
  
• The Sims 4 beta.exe
  
• Ulead Keygen 2004.exe
  
• Visual Studio Net Crack all.exe
  
• Win Longhorn re.exe
  
• WinAmp 13 full.exe
  
• Windows 2000 Sourcecode.doc.exe
  
• Windows 2003 crack.exe
  
• Windows XP crack.exe
  
• WinXP eBook newest.doc.exe
  
• XXX hardcore pics.jpg.exe

The file autorun.inf is always present in the root of all partitions including removable drives as external drives or flash disks, another file accompanies it.

Key deleted

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
  (Default) = <system>\webcheck.dll
  ThreadingModel = Apartment

Key created

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Norton Antivirus AV = <Windows>FVProtect.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  MSN = system.dll.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Windows Zero Spooler = "nmvcs.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{446624E1-B767-4443-AA6E-0F355CAFD21B}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{446624E1-B767-4443-AA6E-0F355CAFD21B}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbxxv
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861

Value created

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{446624E1-B767-4443-AA6E-0F355CAFD21B}\InprocServer32]
  (Default) = "%System%\ddcbxxv.dll"
  ThreadingModel = "Both"

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings]
  Time = F0 F8 36 23 83 51 C8 01 00 00 00 00

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  {446624E1-B767-4443-AA6E-0F355CAFD21B} = ""

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbxxv]
  Asynchronous = 0x00000001
  DllName ="ddcbxxv.dll
  Impersonate = 0x00000000
  Logon = o
  Logoff = f

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]
  (Default) = "A91FE206B0B441D793ADE1C11C88B399&"

• [HKEY_CURRENT_USER\Software\Microsoft\Installer]
  (Default) = 94 6E 12 24 83 51 C8 01

This virus runs automatically each time you open or explore a partition, it is preferable to download the patch and unpack it on the desktop, reboot your machine in Safe Mode and run the patch, always in safe mode.
The virus also sends emails to your contacts and vice versa, your contacts you send infected emails and asking you to download a file if you have problem in reading the email.

Safe mode tutorial