Home / malware Virus:Win32/Neshta.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
Virus:Win32/Neshta.A is also known as W32/Bloat-A, Virus.Win32.Neshta.a, W32/HLLP.41472.e, W32/Neshta.A, W32.Neshuta, PE_NESHTA.A.
Explanation :
Installation This virus copies itself to %SystemRoot% as svchost.com. It modifies the system registry so that it is run every time an .exe file is opened: In subkey: HKCRexefileshellopencommand
Sets value: "@"
With data: "%SystemRoot%svchost.com "%1" %*" It updates %SystemRoot%directx.sys with the path of the last infected file to be run. Spreads Via... File Infection This virus infects files by prepending its virus code to executable files. Payload Connects to remote server We have seen this threat connect to the following remote server: Server : link-on.tu1.ru
Script : /gate/gate.php It uses POST to upload information gathered from the infected system, such as currently installed applications, running programs, and SMTP email accounts. The script file is currently detected as PWS:Win32/Ldpinch.gen!LogA. Analysis by Jireh SanicoLast update 15 February 2019
