Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


WINLOGON.EXE PROCESS INFORMATION

Process Name  : Winlogon.exe

Process Path : %WINDOWS%\winlogon.exe [ please note that actual Windows winlogon.exe will load from %Windows%\System32 folder ]

Malware Name  : W32.Netsky.B@mm

Alias             : W32/Netsky-C, I-Worm.Moodown.C, W32/Netsky.C@MM , Netsky.C,   WORM_NETSKY.C 

Process Type    : Mass mailing Internet worm

Threat level : Medium

Process details :

                     Winlogon.exe is dropped in Windows folder by Netsky.C. It is a modified variant of Netsky.B worm. This mass mailing worm spreads using  e-mail addresses collected from MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, SHTM, DHTM, CGI and EML files to distribute infected messages. Netsky.C worm arrives as an e-mail attachment. The infected attachment name, message body and subject is randomly chosen by the worm. 

The infected mail subject will be one of the following: 

Delivery Failed 
Status 
report 
question 
trust me 
hey 
Re: excuse me 
read it immediatelly 
hi 
Re: does it? 
Yep 
important 
hello 
dear 
Re: unknown 
fake? 
warning 
moin 
what's up? 
info 
Re: information 
Here is it 
stolen 
private? 
good morning 
illegal... 
error 
take it 
re: 
Re: Re: Re: Re: 
you? 
something for you 
exception 
Re: hey 
excuse me 
Re: hi 
Re: does it? 
Re: important 
Re: hello 
believe me 
Question 
denied! 
notification 
Re: <5664ddff?$??º2> 
lol 
last chance! 
I'm back! 
its me 
notice! 

The infected mail message body will be one of the following

<Deliver Error> 
<Message Error> 
<Server Error> 
what means that? 
help attached 
<...> 
ok... 
<Attachment from Poland> 
that is interesting... 
i wait for your comment about it. 
such as yours? 
read the details. 
gonna? 
here is the document. 
*lol* 
read it immediately! 
i found that about you! 
your hero in the picture? 
yours? 
here is it. 
illegal st. of you? 
is that true? 
account? 
is that your name? 
picture? 
message? 
is that your account? 
pwd? 
I wait for an answer! 
abuse? 
is that yours? 
you are a bad writer 
I don't know your document! 
<Mail failed> 
I have your password! 
you won the rk! 
something about you! 
classroom test of you? 
kill the writer of this document! 
old photos about you? 
i hope thats not true! 
your name is wrong! 
does it match? 
i found this document about you. 
time to fear? 
really? 
do you know this???? 
i know your document! 
did you sent it to me? 
this file is bad! 
why should I? 
pages? 
her. 
another pic, have fun! ... :-> 
test it 
child porn? 
greetings 
xxx ? 
stuff about you? 
your document is not good 
something is going wrong! 
your photo is poor 
information about you? 
the information is wrong! 
doc about me? 
kill him on the picture! 
from the chatter (my photo!) 
from your lover ;-) 
love letter? 
here, the serials 
are you a teacherin the picture? 
here, the introduction 
is that criminal? 
here, the cheats 
i like your doc! 
what do you think about it? 
that's a funny text. 
that's not the truth? 
do you have? 
instruct me about this! 
i lost that 
i am speachless about your document! 
is that the reality? 
reply 
msg 
your design is not good! 
important? 
your TAN number? 
take it easy! 
why? 
you are naked in this document! 
thats wrong! 
your icq number? 
i am desperate 
modifications? 
your personal record? 
yes. 
misc. and so on. see you! 
your attachment? verify it. 
you earn money, see the attachment! 
is that your attachment? 
is that your website? 
you feel the same. 
meaning of that? 
possible? 
you have tried to steal! 
did you ask me for that? 
you are bad 
your job? (I found that!) 
is that possible? 
something is going ... 
something is not ok 
did you know from this document? 
wrong calculation! (see the attachment!... 
never! 
poor quality! 
good work! 
excellent! 
great! 
i don't think so. 
pretty pic about you? 
docs? 
schoolfriend? 
<Warning from the Government> 
<09580985869gj> 
<?} 
i want more... 
here is the next one! 
attachi# 
did you see her already? 
is that your wife? 
is that your creditcard? 
is that your photo? 
do you think so? 
do you have the bug also? 
already? 
forgotten? 
drugs? ... 
does it matter? 
i have received this. 
best? 
the truth? 
your body? 
your eyes? 
your face? 
File is self-decryting. 
File is damaged. 
File is bad. 
i saw you last week! 
xxx service 
your account is expired! 
you cannot hide yourself! (see photo) 
copyright? 
what still? 
who? 
how? 
<bad gateway> 
only encrypted! 
personal message! 
my advice.... 
i've found it about you 
<<<Failure>>> 
<Attached Msg> 
<scanned by norton antivirus> 
great xxx! 
man or women? 
child or adult? 
here is yours! 
a crazy doc about you 
xxx about you? 
i don't want your xxx pics! 
<Failed message available> 
<Automailer> 
doc? 
trial? 
what? 
;-) 
i need you! 
correct it! 
see this! 
it's a secret! 
this is nothing for kids! 
it's so similar as yours! 
is that your car? 
do not give up! 
great job! 
here is the $%%454$ 
you are sexy in this doc! 
incest? 
let it! 
you look like an ape! 
you look like an rat? 
be mad? 
are you cranky? 
bob the builder 
did you know that? 
money? 
is that your car? 
is this information about you? 
is that your privacy? 
is that your TAN? 
is that your message? 
is that your cd? 
is that your finger? 
your are naked? 
is that your porn pic? 
is that your work? 
is that your family? 
is that your beast? 
is that your account? 
is that your slip? 
is that your domain? 
are you the naked one? 
are you the naked person! 
are you the one? 
does it belong to you? 
do you have sex in the picture? 
you have a sexy body in the pic! 
your lie is going around the world! 
<Transfer complete> 
<Antispam complete> 
lets talk about it! 
do you know the thief? 
are you a photographer? 
you have done a mistake in the document... 
its private from me 
do not show this anyone! 
new patch is available! 
this is an attachment message! 
in your mind? 
Microsoft 
fast food... 
Your bill. 
try this patch! 
do you have an orgasm in the picture? 
<Click the attachment to decrypt> 
<Attachment Signature 34933920> 
Transaction failed. Show the doc! 
I 've found your bill! 
see your name! 
You are infected. Read the details! 
here is my advice. 
here is my photo! 
here is the <censored> 
feel free to use it. 
does it belong to you? 
Login required! Read the attachment! 
your document is silly! 
is the pic a fake? 
Antispam is turned off. See file! 
Authentification required. Read the att... 
solve the problem! 
<null> 
do not use my document! 
do not open the attachment! 
do not visit the pages on the list I se... 
explain! 
tell me more about your document! 
Your provider will be disabled! 
Instant patches.

The infected mail sample is given below

                     When the worm file is executed, it copies itself to Windows folder as "winlogon.exe". Netsky.C searches C to Z drives and copies itself to folders containing the string "share" or "sharing". This string search allows the worm to spread using file sharing networks like KaZaA . Then it modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"ICQ Net"= %WINDOWS%\winlogon.exe -stealth

[ By default, %WINDOWS% will be C:\Windows in case of Windows 95/98/ME/XP, C:\Winnt in case of Windows NT/2000 ]

                    Netsky.C worm uses its own SMTP engine to send infected messages. The infected attachment may contain a binary file or ZIP file. The worm also removes registry entries created by Mydoom.A and Mydoom.B worm. Netsky.C worm is detected on 25th February 2004. 

How can I protect my system?

                   Solo has incorporated W32.Netsky.C@mm infected winlogon.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with Netsky.C infected winlogon.exe, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link