W32/Neshta-A is an appending virus for the Windows platform.
W32/Neshta-A will search for files to infect on logical drives including network shares.
When W32/Neshta-A is installed the following files are created:
\svchost.com
The following registry entry is set or modified, so that svchost.com is run when files with extensions of EXE are opened/launched:
HKCR\exefile\shell\open\command
(default)
\svchost.com "%1" %*
Win32/Neshta.A creates the mutex fO- while searching for files to infect.
The file directx.sys in the Windows folder is updated with the path of the last infected file to be run.
Win/Netsha-A connects to remote serve in Russia and uses POST to upload information gathered from the infected system, such as currently installed applications, running programs, and SMTP email accounts.