Virus.Win32.Neshta.a

by Atlantis on April 12th, 2012 in Malware Descriptions.

Detect: Virus.Win32.Neshta.a
Platform: Win32
Type: Virus
Size: 41472 bytes
Language: Delphi
md5: BC93F4F527B58419EF42F19DB49F64A8
sha1: 2650A73B61577CFC0C0D80A7F38103D65388D808


Summary

This is a malicious program which infects executive files.

Technical Details 

Installation

Being run, the virus searches for the "svchost.com" file and deletes it from the root Windows catalogue:

%WinDir%\svchost.com

Then, the virus creates a new "%WinDir%\svchost.com" file and copies its body to this file.

The virus modifies a value of the following system registry key parameter:

[HKCR\exefile\shell\open\command]

"(default)" = "%WinDir%\svchost.com "%1" %*"

Thus, once EXE-files run in the system, the virus runs as well. The virus body parameter is equal to the program name a User starts.

The virus creates a "directx.sys" file in the root Windows catalogue:

%WinDir%\directx.sys

The virus writes paths to files the virus body will infect upon running.

Payload

To control its process uniqueness, in the system, the virus creates a unique identifier with the following name:

  • MutexPolesskayaGlush

The virus performs a search and infects PE-EXE files on all logical disks found. With that, found files must meet the following criteria:

  • The minimum file size must not be less than 41472 bytes and must not exceed 10000000 bytes;
  • The file must be located neither on the logical disks (A, B) nor on CD-ROM;
  • The file must be located neither in the root Windows catalogue (%WinDir%) nor in the Windows program catalogue (%ProgramFiles%).

The virus writes its body to the beginning of the file being infected and redirects the program entry point to the virus body. With that, a part of the original program file is being encrypted.

If the virus body runs with a parameter equal to the program name a User launches, then the program name is rendered as a parameter and its full path is located in the "%WinDir%\directx.sys" file for its further infection. File infection criteria listed above are met.

If an infected file runs (the file size exceeds 41472 bytes), after running the virus body, the virus decrypts a part of the original program file and executes the program restoring its original body which it had prior to infection.

If the virus cannot restore the original program body, then the restoring program file is written to the temporary catalogue of the current Windows user ("3582-490") with the original name:

%Temp%\3582-490\

Afterwards, the original file is executed.

The virus body contains the following strings:

Removal Recommendations

To delete a malicious program, proceed through the steps listed below:

  1. Restore the value of the system registry key (How to Work with System Registry):

  2. [HKCR\exefile\shell\open\command]

    "(default)" = "%1" %*

  3. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).