Home / malwarePDF  

Trojan:Win32/Necurs.gen!A


First posted on 19 September 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Necurs.gen!A is also known as Trojan-Dropper.Win32.Necurs.bj (Kaspersky), Win32/SpamTool.Tedroo.AV trojan (ESET), Trojan-Dropper.Win32.Necurs (Ikarus), Mal/NecursDrp-A (Sophos), TROJ_SPNR.15HH12 (Trend Micro).

Explanation :



Trojan:Win32/Necurs.gen!A is a trojan that connects to certain servers to send and receive messages. At the time of publishing, the servers it connects to are unavailable.



Installation

Trojan:Win32/Necurs.gen!A drops the following file:

%windir%\installer\{GUID}\syshost.exe - also detected as Trojan:Win32/Necurs.gen!A

where {GUID} is a random 16-digit hexadecimal number.

It installs its dropped file as a service with the display name "Syshost.exe" and the group name "Boot Bus Extender". Installing itself as a service allows it to run every time Windows starts.

It also creates the following named pipe and events to make sure that only one instance of itself is running at any particular time:

  • named pipe \\.\NtSecureSys
  • event Global\NitrGB
  • event Local\NitrGB


Trojan:Win32/Necurs.gen!A injects code into all running processes. It does this to hide its behavior from antivirus software.

It connects to the following domains to check if the computer is connected to the Internet, and to get the current date and time; these websites are not affiliated with the malware in any way:

  • facebook.com
  • microsoft.com


Payload

Connects to certain servers

Trojan:Win32/Necurs.gen!A connects to the following servers every 20 seconds to send and receive messages:

  • 0.pool.ntp.org
  • 1.pool.ntp.org


At the time of publishing, these servers are unavailable.



Analysis by Ferdinand Plazo

Last update 19 September 2012

 

TOP