Subscribe
If the string is longer than 41472 bytes, further decryption and file launch functions are called. Otherwise, the infected file is launched.
When decrypting and launching the file, the virus decrypts part of the body of the program which was encrypted after the body of the virus was injected into the program. If, for some reason, the virus was unable to modify the executable file, a folder called 3582_490 will be created in the Windows temporary directory (%TEMP%). The clean executable file will be decrypted to this folder.
Once launched Neshta.a attempts to infect files listed in %WINDIR%\direct.sys
- Modify the following system registry key: [HKCR\exefile\shell\open\command] from %WINDIR%\svchost.com "%1" %* to "%1" %*
- Delete %WINDIR%\svchost.com
- Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).
This malicious program identifies and infects executable files. The program is a Windows PE EXE file, written in Delphi. The file is 41472 bytes in size.
InstallationThe virus searches the Windows system directory (%WINDIR%) for svchost.com, which it deletes. It then creates a new svchost.com file, which contains the body of the virus. The following key is created in the system registry:
[HKCR\exefile\shell\open\command]@="%WINDIR%\svchost.com \"%1\" %*"
This ensures that at each system restart, the virus will be automatically launched.
OtherThe body of the virus contains the following strings:
Delphi-the best. **** off all the rest. Neshta 1.0 Made in Belarus.Payload
Hot Articles