Home / malwarePDF  

Trojan:WinNT/Necurs.A


First posted on 17 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:WinNT/Necurs.A.

Explanation :

Threat behavior

Installation

Trojan:WinNT/Necurs.A is dropped, installed and run by other malware, usually variants of the Trojan:Win32/Necurs family.

The trojan is dropped to the folder \drivers. It uses a file name made up of random numbers and a .sys extension, for example 48142.sys.

Payload

Monitors system security access

Trojan:WinNT/Necurs.A monitors access to your PC registry to prevent modification or removal of its registry entries.

It installs a driver to monitor file access so it can block attempts to access and delete the trojan. Trojan:WinNT/Necurs.A also installs another driver to monitor your network.

We detect both of these drivers as Trojan:WinNT/Necurs.A.

If a backdoor component is installed (such as those downloaded by other variants of the Trojan:Win32/Necurs family), all network traffic is monitored by the trojan.

The trojan can then manipulate the network traffic. For example, it can redirect web (HTTP) connections to the remote attacker for certain purposes, such as filtering specific traffic or redirecting websites.

Disables security software

Trojan:WinNT/Necurs.A prevents a large list of security applications from functioning correctly, including applications from the following companies:

  • Agnitum
  • ALWIL
  • Avira
  • Beijing Jiangmin
  • Beijing Rising
  • BitDefender
  • BullGuard
  • Check Point Software Technologies
  • CJSC Returnil
  • Comodo Security Solutions
  • Doctor Web
  • ESET
  • FRISK
  • G DATA
  • GRISOFT
  • Immunet
  • K7 Computing
  • Kaspersky Lab
  • NovaShield
  • Panda
  • PC Tools
  • Quick Heal Technologies
  • Sunbelt
  • Symantec
  • VirusBuster


Additional information

Trojan:WinNT/Necurs.A hooks the following APIs to hinder detection and removal of the trojan:

  • NtOpenProcess
  • NtOpenThread


The trojan prevents the following security-related files from loading to enable its payload:

  • a2acc.sys
  • a2acc64.sys
  • a2gffi64.sys
  • a2gffx64.sys
  • a2gffx86.sys
  • ahnflt2k.sys
  • AhnRec2k.sys
  • AhnRghLh.sys
  • amfsm.sys
  • amm6460.sys
  • amm8660.sys
  • AntiLeakFilter.sys
  • antispyfilter.sys
  • AntiyFW.sys
  • ArfMonNt.sys
  • AshAvScan.sys
  • aswmonflt.sys
  • AszFltNt.sys
  • ATamptNt.sys
  • AVC3.SYS
  • AVCKF.SYS
  • avgmfi64.sys
  • avgmfrs.sys
  • avgmfx64.sys
  • avgmfx86.sys
  • avgntflt.sys
  • avmf.sys
  • BdFileSpy.sys
  • bdfm.sys
  • bdfsfltr.sys
  • caavFltr.sys
  • catflt.sys
  • cmdguard.sys
  • csaav.sys
  • cwdriver.sys
  • dkprocesshacker.sys
  • drivesentryfilterdriver2lite.sys
  • dwprot.sys
  • eamonm.sys
  • eeCtrl.sys
  • eeyehv.sys
  • eeyehv64.sys
  • eraser.sys
  • EstRkmon.sys
  • EstRkr.sys
  • fildds.sys
  • fortimon2.sys
  • fortirmon.sys
  • fortishield.sys
  • fpav_rtp.sys
  • fsfilter.sys
  • fsgk.sys
  • ggc.sys
  • HookCentre.sys
  • HookSys.sys
  • ikfilesec.sys
  • ino_fltr.sys
  • issfltr.sys
  • issregistry.sys
  • K7Sentry.sys
  • klbg.sys
  • kldback.sys
  • kldlinf.sys
  • kldtool.sys
  • klif.sys
  • kmkuflt.sys
  • KmxAgent.sys
  • KmxAMRT.sys
  • KmxAMVet.sys
  • KmxStart.sys
  • lbd.sys
  • MaxProtector.sys
  • mbam.sys
  • mfehidk.sys
  • mfencoas.sys
  • MiniIcpt.sys
  • mpFilter.sys
  • NanoAVMF.sys
  • NovaShield.sys
  • nprosec.sys
  • nregsec.sys
  • nvcmflt.sys
  • NxFsMon.sys
  • OADevice.sys
  • OMFltLh.sys
  • PCTCore.sys
  • PCTCore64.sys
  • pervac.sys
  • PktIcpt.sys
  • PLGFltr.sys
  • PSINFILE.SYS
  • PSINPROC.SYS
  • pwipf6.sys
  • PZDrvXP.sys
  • Rtw.sys
  • rvsmon.sys
  • sascan.sys
  • savant.sys
  • savonaccess.sys
  • SCFltr.sys
  • SDActMon.sys
  • SegF.sys
  • shldflt.sys
  • SMDrvNt.sys
  • snscore.sys
  • Spiderg3.sys
  • SRTSP.sys
  • SRTSP64.SYS
  • SRTSPIT.sys
  • ssfmonm.sys
  • ssvhook.sys
  • STKrnl64.sys
  • strapvista.sys
  • strapvista64.sys
  • THFilter.sys
  • tkfsavxp.sys
  • tkfsavxp64.sys
  • tkfsft.sys
  • tkfsft64.sys
  • tmevtmgr.sys
  • tmpreflt.sys
  • UFDFilter.sys
  • v3engine.sys
  • V3Flt2k.sys
  • V3Flu2k.sys
  • V3Ift2k.sys
  • V3IftmNt.sys
  • V3MifiNt.sys
  • Vba32dNT.sys
  • vcdriv.sys
  • vchle.sys
  • vcMFilter.sys
  • vcreg.sys
  • vradfil2.sys
  • ZxFsFilt.sys


Related encyclopedia entries

Trojan:Win32/Necurs

Rogue:Win32/Winwebsec



Analysis by Tim Liu

Symptoms

The following could indicate that you have this threat on your PC:

  • Your installed security application does not run correctly or does not run at all
  • The have this file:

    \drivers\.sys

Last update 17 March 2014

 

TOP

Malware :

Family: