Home / malware

PDF

Trojan:Win64/Necurs.A

First posted on 09 April 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win64/Necurs.A.

Explanation :

Threat behavior

Installation

Trojan:Win64/Necurs.A is dropped, installed and run by other malware, usually variants of the Trojan:Win32/Necurs family.

The trojan is dropped to the folder \drivers. It uses a file name made up of random numbers and a .sys extension, for example 48142.sys.

Payload

Monitors system security access

Trojan:Win64/Necurs.A monitors access to your PC registry to prevent modification or removal of its registry entries.

It installs a driver to monitor file access so it can block tries to access and delete the trojan. We detect this driver as Trojan:Win64/Necurs.A.

The trojan can then manipulate the network traffic. For example, it can redirect web (HTTP) connections to the remote attacker for certain purposes, like filtering specific traffic or redirecting websites.

Disables security software

Trojan:Win64/Necurs.A prevents a large list of security applications from functioning correctly, including applications from the following companies:

• Agnitum
• ALWIL
• Avira
• Beijing Jiangmin
• Beijing Rising
• BitDefender
• BullGuard
• Check Point Software Technologies
• CJSC Returnil
• Comodo Security Solutions
• Doctor Web
• ESET
• FRISK
• G DATA
• GRISOFT
• Immunet
• K7 Computing
• Kaspersky Lab
• NovaShield
• Panda
• PC Tools
• Quick Heal Technologies
• Sunbelt
• Symantec
• VirusBuster

Additional information

Trojan:Win64/Necurs.A hooks the following APIs to hinder detection and removal of the trojan:

• NtOpenProcess
• NtOpenThread

The trojan prevents the following security-related files from loading to enable its payload:

• a2acc.sys
• a2acc64.sys
• a2gffi64.sys
• a2gffx64.sys
• a2gffx86.sys
• ahnflt2k.sys
• AhnRec2k.sys
• AhnRghLh.sys
• amfsm.sys
• amm6460.sys
• amm8660.sys
• AntiLeakFilter.sys
• antispyfilter.sys
• AntiyFW.sys
• ArfMonNt.sys
• AshAvScan.sys
• aswmonflt.sys
• AszFltNt.sys
• ATamptNt.sys
• AVC3.SYS
• AVCKF.SYS
• avgmfi64.sys
• avgmfrs.sys
• avgmfx64.sys
• avgmfx86.sys
• avgntflt.sys
• avmf.sys
• BdFileSpy.sys
• bdfm.sys
• bdfsfltr.sys
• caavFltr.sys
• catflt.sys
• cmdguard.sys
• csaav.sys
• cwdriver.sys
• dkprocesshacker.sys
• drivesentryfilterdriver2lite.sys
• dwprot.sys
• eamonm.sys
• eeCtrl.sys
• eeyehv.sys
• eeyehv64.sys
• eraser.sys
• EstRkmon.sys
• EstRkr.sys
• fildds.sys
• fortimon2.sys
• fortirmon.sys
• fortishield.sys
• fpav_rtp.sys
• fsfilter.sys
• fsgk.sys
• ggc.sys
• HookCentre.sys
• HookSys.sys
• ikfilesec.sys
• ino_fltr.sys
• issfltr.sys
• issregistry.sys
• K7Sentry.sys
• klbg.sys
• kldback.sys
• kldlinf.sys
• kldtool.sys
• klif.sys
• kmkuflt.sys
• KmxAgent.sys
• KmxAMRT.sys
• KmxAMVet.sys
• KmxStart.sys
• lbd.sys
• MaxProtector.sys
• mbam.sys
• mfehidk.sys
• mfencoas.sys
• MiniIcpt.sys
• mpFilter.sys
• NanoAVMF.sys
• NovaShield.sys
• nprosec.sys
• nregsec.sys
• nvcmflt.sys
• NxFsMon.sys
• OADevice.sys
• OMFltLh.sys
• PCTCore.sys
• PCTCore64.sys
• pervac.sys
• PktIcpt.sys
• PLGFltr.sys
• PSINFILE.SYS
• PSINPROC.SYS
• pwipf6.sys
• PZDrvXP.sys
• Rtw.sys
• rvsmon.sys
• sascan.sys
• savant.sys
• savonaccess.sys
• SCFltr.sys
• SDActMon.sys
• SegF.sys
• shldflt.sys
• SMDrvNt.sys
• snscore.sys
• Spiderg3.sys
• SRTSP.sys
• SRTSP64.SYS
• SRTSPIT.sys
• ssfmonm.sys
• ssvhook.sys
• STKrnl64.sys
• strapvista.sys
• strapvista64.sys
• THFilter.sys
• tkfsavxp.sys
• tkfsavxp64.sys
• tkfsft.sys
• tkfsft64.sys
• tmevtmgr.sys
• tmpreflt.sys
• UFDFilter.sys
• v3engine.sys
• V3Flt2k.sys
• V3Flu2k.sys
• V3Ift2k.sys
• V3IftmNt.sys
• V3MifiNt.sys
• Vba32dNT.sys
• vcdriv.sys
• vchle.sys
• vcMFilter.sys
• vcreg.sys
• vradfil2.sys
• ZxFsFilt.sys

Related encyclopedia entries

Trojan:Win32/Necurs

Rogue:Win32/Winwebsec



Analysis by Tim Liu

Symptoms

The following could indicate that you have this threat on your PC:

• Your installed security application does not run correctly or does not run at all
• You have this file:
  
  \drivers\.sys
  

Last update 09 April 2014

 

TOP