Win32/Neshta [Threat Name] go to Threat
Win32/Neshta.A [Threat Variant Name]
Category | virus |
Size | 41472 B |
Aliases | Virus.Win32.Neshta.a (Kaspersky) |
W32/HLLP.41472.e.virus (McAfee) | |
Virus:Win32/Neshta.A (Microsoft) | |
W32.Neshuta (Symantec) |
Short description
Win32/Neshta.A is a file infector.
Installation
When executed, the virus creates the following files:
- %temp%\tmp5023.tmp
- %windir%\directx.sys
- %windir%\svchost.com (41472 B, Win32/Neshta.A)
The following Registry entry is set:
- [HKEY_CLASSES_ROOT\exefile\shell\open\command]
- "(Default)" = "%windir%\svchost.com "%1" %*"
This causes the virus to be executed along with any program.
Executable file infection
Win32/Neshta.A is a file infector.
The virus searches local drives for files with the following file extensions:
- .exe
The virus infects the files by inserting its code at the beginning of the original program.
The size of the inserted code is 41472 B .
It also infects files stored on removable and network drives.
It avoids files which contain any of the following strings in their path:
- %temp%
- %windir%
- \PROGRA~1\
Several other criteria are applied when choosing a file to infect.
When an infected file is executed, the original program is being dropped into a temporary file and run.
The original file is stored in the following location:
- %temp%\3582-490\%filename%
Other information
It contains the following text:
- Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. Прывiтанне усiм ~цiкавым~ беларус_кiм дзяучатам. Аляксандр Рыгоравiч, вам таксама :) Восень- кепская пара... Алiварыя - лепшае пiва! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]