{
	"id": "9b74b573-a8a3-447a-a229-d2f15d26f54a",
	"created_at": "2026-04-10T03:20:29.450739Z",
	"updated_at": "2026-04-10T13:11:48.222841Z",
	"deleted_at": null,
	"sha1_hash": "1801ff8a105329eceae02b24aa6471b061cd394d",
	"title": "Win32/Neshta.A | ESET Virusradar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44502,
	"plain_text": "Win32/Neshta.A | ESET Virusradar\r\nArchived: 2026-04-10 02:51:02 UTC\r\nThe Wayback Machine -\r\nhttps://web.archive.org/web/20220119114002/https://www.virusradar.com/en/Win32_Neshta.A/description\r\nHome\r\n\u003eThreat Encyclopaedia\r\n\u003eDescriptions\r\n\u003e Win32/Neshta.A\r\nWin32/Neshta [Threat Name] go to Threat\r\nWin32/Neshta.A [Threat Variant Name]\r\nCategory virus\r\nSize 41472 B\r\nAliases Virus.Win32.Neshta.a (Kaspersky)\r\n  W32/HLLP.41472.e.virus (McAfee)\r\n  Virus:Win32/Neshta.A (Microsoft)\r\n  W32.Neshuta (Symantec)\r\nShort description\r\nWin32/Neshta.A is a file infector.\r\nInstallation\r\nWhen executed, the virus creates the following files:\r\n%temp%\\tmp5023.tmp\r\n%windir%\\directx.sys\r\n%windir%\\svchost.com (41472 B, Win32/Neshta.A)\r\nThe following Registry entry is set:\r\n[HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command]\r\n\"(Default)\" = \"%windir%\\svchost.com \"%1\" %*\"\r\nThis causes the virus to be executed along with any program.\r\nExecutable file infection\r\nWin32/Neshta.A is a file infector.\r\nThe virus searches local drives for files with the following file extensions:\r\n.exe\r\nThe virus infects the files by inserting its code at the beginning of the original program.\r\nThe size of the inserted code is 41472 B .\r\nIt also infects files stored on removable and network drives.\r\nIt avoids files which contain any of the following strings in their path:\r\n%temp%\r\n%windir%\r\n\\PROGRA~1\\\r\nhttps://web.archive.org/web/20220119114002/https:/www.virusradar.com/en/Win32_Neshta.A/description\r\nPage 1 of 2\n\nSeveral other criteria are applied when choosing a file to infect.\r\nWhen an infected file is executed, the original program is being dropped into a temporary file and run.\r\nThe original file is stored in the following location:\r\n%temp%\\3582-490\\%filename%\r\nOther information\r\nIt contains the following text:\r\nDelphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. Прывiтанне усiм ~цiкавым~ беларус_кiм дзяучатам. Аляксандр Рыгоравiч, вам\r\n кепская пара... Алiварыя - лепшае пiва! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]\r\nSource: https://web.archive.org/web/20220119114002/https:/www.virusradar.com/en/Win32_Neshta.A/description\r\nhttps://web.archive.org/web/20220119114002/https:/www.virusradar.com/en/Win32_Neshta.A/description\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20220119114002/https:/www.virusradar.com/en/Win32_Neshta.A/description"
	],
	"report_names": [
		"description"
	],
	"threat_actors": [],
	"ts_created_at": 1775791229,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1801ff8a105329eceae02b24aa6471b061cd394d.pdf",
		"text": "https://archive.orkl.eu/1801ff8a105329eceae02b24aa6471b061cd394d.txt",
		"img": "https://archive.orkl.eu/1801ff8a105329eceae02b24aa6471b061cd394d.jpg"
	}
}