W32/Nishe-A

Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

For recovery instructions please contact technical support.

More Information

Summary
Action
More Information

W32/Nishe-A infects all EXE files in the current folder and C:\Windows\Notepad.exe.

When an EXE file is infected the original clean file is encrypted and renamed to <name>.wal and the virus is copied to <name>.exe. When an infected file is executed the host file, <name>.wal is decrypted and executed.

W32/Nishe-A begins by creating a copy of itself as C:\Windows\Shine.exe and then setting the registry value

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shine

to run C:\Windows\Shine.exe when Windows starts up.

When the virus is run via the above registry entry it will display a message box containing the text "We All Shine On, Like The Moon And The Stars And The Sun". The virus may also display a fake error message that reads "Unexpected error at address 00<Random Number>:<Random Number>".

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Nishe-A

Summary

Action

More Information