is a worm, spreading as an email attachment or by P2P networks file sharing.
When executed, the worm displays faked error message "The file could not be opened!". Then it makes a copy of itself named "services.exe" in the folder [%Windir%]. It makes a registry item "service" with the value "%Windir%\services.exe -serv" in the key
The worm deletes a few records from the registry database (if the records exist). From the key:
All these registry records are created by another worms, they aren't important for the computer operation.
Win32:Netsky-B spreads by making copies of itself in the folders those names contains the words "Share" or "Sharing" in their names. Such folders are probably shared by some P2P network (such as Morpheus or Kazaa). The worm creates a number of copies with a different names in them. Except it, the worm sends oneself by email. The addresses for sending it finds in the files with the extensions "adb", "asp", "dbx", "doc", "eml", "htm", "html", "msg", "oft", "php", "pl", "rtf", "sht", "tbb", "txt", "uin", "vbs", "wab" on all local or mapped network disks. The "Subject", body of message and name, extension and size of attachment are variable. The From address is faked. The "Subject" of infected message is one of the following texts:
In the body message is one of the texts:
The attachment can have either simple or doubled extension. The first extension is one of "doc", "htm", "rtf", "txt". The second (or the single one) extension is one of "com", "exe", "pif", "scr". A part of sent attachment has the extension "zip". The zip file is created with "zero compression". The unpacked file has both the extension and the name generated the same way as nonpacked files. The size of the attachment varry.
The attachment can have one of the names:
avast! with VPS file dated on or after 18th February 2004 is able to detect this worm.Refer: Avast