SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Neshta.A_68
Neshta.A_68 is a Virus. Virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". Virus writers use social engineering and exploit detailed knowledge of security vulnerabilities to gain access to their hosts' computing resources.

      Process Related Changes
      It creates the following mutex(es):
      • ZonesLockedCacheCounterMutex"
      • DDrawWindowListMutex"
      • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • DDrawDriverObjectListMutex"
      • {1B655094-FE2A-433c-A877-FF9793445069}"
      • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • http://tool.chacuo.net/"
      • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • c:!documents and settings!admin!cookies!"
      • ZonesCacheCounterMutex"
      • c:!documents and settings!admin!local settings!history!history.ie5!"
      • MSIMGSIZECacheMutex"
      • __DDrawCheckExclMode__"
      • WininetConnectionMutex"
      • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
      • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • c:!documents and settings!admin!local settings!application data!microsoft!internet explorer!domstore!"
      • ZonesCounterMutex"
      • c:!documents and settings!admin!ietldcache!"
      • DirectSound DllMain mutex 0x000005F4"
      • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • ZoneAttributeCacheCounterMutex"
      • InternetExplorerDOMStoreQuota"
      • !PrivacIE!SharedMemory!Mutex"
      • __DDrawExclMode__"

      It creates the following process(es):
      • C:\WINDOWS\Temp\c2f0084954909dbf13ba4fd2b91da396.exe [ \c:\windows\temp\c2f0084954909dbf13ba4fd2b91da396.exe ]

      Network Activity
      We observed a large number of DNS queries, some of them are:
      • hm.baidu.com
      • www.chacuo.net
      • pagead2.googlesyndication.com
      • tool.chacuo.net
      • g.symcb.com
      • nsclick.baidu.com
      • googleads.g.doubleclick.net
      • crl.geotrust.com
      • pki.google.com
      • bdimg.share.baidu.com

      It attempts to connect to the following remote servers:
      • 127.xxxxxx:1029


      Relevant Information