Other issues in this category (5)
A user facing "something"
Monday, August 17, 2020
Here is a conversation between a seriously aggravated user and our support engineer:
Don't you [censored] tell me that there are viruses in my legal software and the programs I’ve downloaded from official websites!!!!!
And in case you’ve [censored] completely lost it, here is a quick reminder: there is no way a system file can be a virus!!!!! And now because of you, you [censored], all my work is ruined!!!
I already regret switching from Avast to your anti-virus. It had its quirks for sure, but nothing that would ever compare to what Dr.Web has done. And believe me, I won't recommend your anti-virus to anyone. Actually, it will be the other way around.
A request submitted to Doctor Web's Technical Support Service
The threat was detected as Win32.HLLP.Neshta. That's a file infector that does compromise files. You can read a brief description here: https://ru.wikipedia.org/wiki/Neshta. Information about this threat is also available on our website: https://vms.drweb.ru/virus/?i=468&lng=en.
Make sure that all operating system updates are installed and scan the system with the anti-virus. LiveCD may work best here.
The reply from our Technical Support Service
Hey users, chill out! "There is no way a system file can be a virus!" and "don’t tell me that there are viruses in my legal software”. Apparently, people have already forgotten about the time of viruses.
We often mention that trojans are today’s most common malicious programs. They don't infect other files by injecting their code into them. Instead, someone has to deploy trojans on targeted computers. Meanwhile, viruses are few. Why? First, many files are digitally signed and infecting them invalidates the signatures. Whenever an anti-virus sees an unsigned file, it takes up a fighting stance. Second, designing a virus that will be able to use sophisticated infection techniques is difficult. This requires great skill.
However, "few" does not mean that there are no viruses whatsoever.
By the way, the angry user's system was infected by a specimen of unusual origin and with a peculiar name to boot.
Neshta is a Belarusian virus from now-distant 2005. The virus's name stems from the Belarusian word “neshta", meaning "something".
Its code contains the following string:
Neshta 1.0 Made in Belarus.
Note this: the virus was discovered in 2005. That was fifteen years ago! A blast from the past. We can only wonder how and where the user ran into it. Naturally, Dr.Web knew about this virus and detected it as soon as we started scanning the infected computer.
But there are even more bizarre stories than this one.
The data was encrypted on a rented virtual server. As far as I understand, an attacker employed a trojan to steal the administrator password and then connected to the server at the moment when no other user was logged in. Then the intruder created the user Cuctema (System), added the new account to a local administrators group and encrypted all the available files they believed were of some importance. It appears that the programs they used were also infected with Neshta.
A technical support request
The attacker used a virus-infected program. A top-notch cyber-attack! And even more.
What does this “something" actually do?
It infects EXE PE files whose size is 41472 bytes or larger.
When a file gets infected, the virus writes its code at the beginning of the file, whilst the original code is relocated to its end. A portion of relocated code (the first 1000 bytes) gets encrypted.
The virus copies itself to the windows folder as svchost.com.
All attempts to start any of our applications failed. Running any executable files in the system will start the malicious svchost.com, which, in turn, will run the virus. The virus will then look for files whose filenames have the extension exe and infect them by injecting malicious code into them.
If the virus is launched with a parameter matching the name of an application being started by a user, the program is launched, while the full path to its executable file is saved to %WinDir%\directx.sys so that the file can subsequently be infected.
The Anti-virus Times recommends
These incidents amply illustrate why information about old viruses must remain in anti-virus databases. Somehow users manage to infest their systems with exotic malware, and then our in-house zoologists (support engineers) have to work hard to eradicate it.
Scan all the files you download from the Internet with an anti-virus. Alas, even if a file is distributed under the "legal software" label, that won't magically prevent the file from getting infected.