|
Friday, 30 December 2005 |
W32.Neshuta is a virus that infects .exe and .com files.
Type: Virus
Infection Length: 41,472 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: Infects .exe and .com files.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When W32.Neshuta is executed, it performs the following actions:
Copies itself as the following file:
%Windir%svchost.com
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
Creates the following mutex so that only one copy of the virus runs on the compromised computer at any one time:
fO-
Modifies the values:
"(Default)" = "%Windir%svchost.com "%1" %*"
in the registry subkey:
HKEY_CLASSES_ROOTexefileshellopencommand
so that it runs every time commands are executed.
Searches for and infects any .exe and .com files found on all drives installed on the compromised computer.
Creates a copy of the original files that it infects in %Temp% and executes them.
Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:WindowsTEMP (Windows 95/98/Me/XP) or C:WINNTTemp (Windows NT/2000).
To delete the value from the registry
Navigate to the subkey:
HKEY_CLASSES_ROOTexefileshellopencommand
In the right pane, restore the value to:
"(Default)" = "%1" %*"
Exit the Registry Editor.
|
