Win32/Neshta [Threat Name] go to Threat

Win32/Neshta.B [Threat Variant Name]

Category virus
Size 41472 B
Detection created Jan 25, 2006
Detection database version 1380
Aliases Virus.Win32.Neshta.b (Kaspersky)
  W32/HLLP.41472.virus (McAfee)
  Virus:Win32/Neshta.B (Microsoft)
  W32.Neshuta (Symantec)
Short description

Win32/Neshta.B is a file infector.

Installation

When executed, the virus creates the following files:

  • %temp%\­tmp5023.tmp
  • %windir%\­directx.sys
  • %windir%\­svchost.com (41472 B, Win32/Neshta.B)

The following Registry entry is set:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open\­command]
    • "(Default)" = "%windir%\­svchost.com "%1" %*"

This causes the virus to be executed along with any program.

Executable file infection

Win32/Neshta.B is a file infector.


The virus searches local drives for files with the following file extensions:

  • .exe

The virus infects the files by inserting its code at the beginning of the original program.


The size of the inserted code is 41472 B .


It also infects files stored on removable and network drives.


It avoids files which contain any of the following strings in their path:

  • %temp%
  • %windir%
  • \­PROGRA~1\­

Several other criteria are applied when choosing a file to infect.


When an infected file is executed, the original program is being dropped into a temporary file and run.


The original file is stored in the following location:

  • %temp%\­3582-490\­%filename%

Please enable Javascript to ensure correct displaying of this content and refresh this page.