Home / malwarePDF  

Trojan:WinNT/Necurs.A


First posted on 05 December 2012.
Source: Microsoft

Aliases :

Trojan:WinNT/Necurs.A is also known as Mal/Necurs-A (Sophos), RTKT_NECURS.SMA (Trend Micro), Trojan.Hosts.5268 (Dr.Web), Trojan.Win32.Genome.aglua (Kaspersky), Trojan.WinNT.Necurs (Ikarus), Win32/SpamTool.Tedroo.AS (ESET).

Explanation :



Trojan:WinNT/Necurs.A is a trojan that prevents a large number of security applications from functioning correctly.

It is a member of the Trojan:Win32/Necurs family, and may be dropped by other variants of the family or rogue security software, such as Rogue:Win32/Winwebsec.



Installation

Trojan:WinNT/Necurs.A is dropped, installed and run by other malware, in particular by other variants of the Trojan:Win32/Necurs family.

The trojan is dropped to the folder "<system folder>\drivers". It uses a filename comprised of random numbers and a ".sys" extension, for example "48142.sys".

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".



Payload

Monitors system security access

Trojan:WinNT/Necurs.A monitors access to your computer's registry to prevent modification or removal of its registry entries.

The trojan installs a driver to monitor file access in an effort to block attempts to access and delete the trojan. Trojan:WinNT/Necurs.A also installs another driver to monitor your network.

We detect both of these drivers as Trojan:WinNT/Necurs.A.

If a backdoor component is installed (such as those downloaded by other variants of the Trojan:Win32/Necurs family), all network traffic is monitored by the trojan.

The trojan can then manipulate the network traffic. For example, the trojan can redirect HTTP (web) connections to the remote attacker for certain purposes, such as filtering specific traffic or redirecting websites.

Disables security software

Trojan:WinNT/Necurs.A prevents a large list of security applications from functioning correctly, including applications from the following companies:

  • Agnitum
  • ALWIL
  • Avira
  • Beijing Jiangmin
  • Beijing Rising
  • BitDefender
  • BullGuard
  • Check Point Software Technologies
  • CJSC Returnil
  • Comodo Security Solutions
  • Doctor Web
  • ESET
  • FRISK
  • G DATA
  • GRISOFT
  • Immunet
  • K7 Computing
  • Kaspersky Lab
  • NovaShield
  • Panda
  • PC Tools
  • Quick Heal Technologies
  • Sunbelt
  • Symantec
  • VirusBuster
Additional information

Trojan:WinNT/Necurs.A hooks the following APIs to hinder detection and removal of the trojan:

  • NtOpenProcess
  • NtOpenThread


The trojan prevents the following security-related files from loading to enable its payload:

  • a2acc.sys
  • a2acc64.sys
  • a2gffi64.sys
  • a2gffx64.sys
  • a2gffx86.sys
  • ahnflt2k.sys
  • AhnRec2k.sys
  • AhnRghLh.sys
  • amfsm.sys
  • amm6460.sys
  • amm8660.sys
  • AntiLeakFilter.sys
  • antispyfilter.sys
  • AntiyFW.sys
  • ArfMonNt.sys
  • AshAvScan.sys
  • aswmonflt.sys
  • AszFltNt.sys
  • ATamptNt.sys
  • AVC3.SYS
  • AVCKF.SYS
  • avgmfi64.sys
  • avgmfrs.sys
  • avgmfx64.sys
  • avgmfx86.sys
  • avgntflt.sys
  • avmf.sys
  • BdFileSpy.sys
  • bdfm.sys
  • bdfsfltr.sys
  • caavFltr.sys
  • catflt.sys
  • cmdguard.sys
  • csaav.sys
  • cwdriver.sys
  • dkprocesshacker.sys
  • drivesentryfilterdriver2lite.sys
  • dwprot.sys
  • eamonm.sys
  • eeCtrl.sys
  • eeyehv.sys
  • eeyehv64.sys
  • eraser.sys
  • EstRkmon.sys
  • EstRkr.sys
  • fildds.sys
  • fortimon2.sys
  • fortirmon.sys
  • fortishield.sys
  • fpav_rtp.sys
  • fsfilter.sys
  • fsgk.sys
  • ggc.sys
  • HookCentre.sys
  • HookSys.sys
  • ikfilesec.sys
  • ino_fltr.sys
  • issfltr.sys
  • issregistry.sys
  • K7Sentry.sys
  • klbg.sys
  • kldback.sys
  • kldlinf.sys
  • kldtool.sys
  • klif.sys
  • kmkuflt.sys
  • KmxAgent.sys
  • KmxAMRT.sys
  • KmxAMVet.sys
  • KmxStart.sys
  • lbd.sys
  • MaxProtector.sys
  • mbam.sys
  • mfehidk.sys
  • mfencoas.sys
  • MiniIcpt.sys
  • mpFilter.sys
  • NanoAVMF.sys
  • NovaShield.sys
  • nprosec.sys
  • nregsec.sys
  • nvcmflt.sys
  • NxFsMon.sys
  • OADevice.sys
  • OMFltLh.sys
  • PCTCore.sys
  • PCTCore64.sys
  • pervac.sys
  • PktIcpt.sys
  • PLGFltr.sys
  • PSINFILE.SYS
  • PSINPROC.SYS
  • pwipf6.sys
  • PZDrvXP.sys
  • Rtw.sys
  • rvsmon.sys
  • sascan.sys
  • savant.sys
  • savonaccess.sys
  • SCFltr.sys
  • SDActMon.sys
  • SegF.sys
  • shldflt.sys
  • SMDrvNt.sys
  • snscore.sys
  • Spiderg3.sys
  • SRTSP.sys
  • SRTSP64.SYS
  • SRTSPIT.sys
  • ssfmonm.sys
  • ssvhook.sys
  • STKrnl64.sys
  • strapvista.sys
  • strapvista64.sys
  • THFilter.sys
  • tkfsavxp.sys
  • tkfsavxp64.sys
  • tkfsft.sys
  • tkfsft64.sys
  • tmevtmgr.sys
  • tmpreflt.sys
  • UFDFilter.sys
  • v3engine.sys
  • V3Flt2k.sys
  • V3Flu2k.sys
  • V3Ift2k.sys
  • V3IftmNt.sys
  • V3MifiNt.sys
  • Vba32dNT.sys
  • vcdriv.sys
  • vchle.sys
  • vcMFilter.sys
  • vcreg.sys
  • vradfil2.sys
  • ZxFsFilt.sys
Related encyclopedia entries

Trojan:Win32/Necurs

Rogue:Win32/Winwebsec



Analysis by Tim Liu

Last update 05 December 2012

 

TOP

Malware :

Family: