Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:22/01/2010
Type:File infector
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
Static file:No
VDF version:
IVDF version:

 General Method of propagation:
   • Infects files

   •  Mcafee: W32/HLLP.41472.e virus
   •  Kaspersky: Virus.Win32.Neshta.a
   •  Sophos: W32/Bloat-A
   •  Bitdefender: Win32.Neshta.A
   •  Panda: W32/Neshta.A
   •  Eset: Win32/Neshta.A virus
   •  DrWeb: Win32.HLLP.Neshta
   •  Rising: Win32.Netsha.a

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\

The following file is created:

– Non malicious file:
   • %TEMPDIR%\tmp5023.tmp

 Registry The following registry key is added:

– HKCR\exefile\shell\open\command
   • "(Default)"="%WINDIR%\\ \"%1\" %*"

 File infection Code integration - The virus merges its own code with the host program's code. This is a complicated process that requires completely disassembling and reassembling of the host file.


This direct-action infector actively searches for files.

Infection length:

- 41.472 Bytes

Ignores files that:

Contain any of the following strings in their path:
   • %WINDIR%\

The following file is infected:

By file type:
   • Windows Executable File(exe)

 File details Programming language:
The malware program was written in Delphi.

Description inserted by Szewee Tan on Wednesday, June 22, 2011
Description updated by Szewee Tan on Wednesday, June 22, 2011

Back . . . .