Home / malware Trojan:Win32/Necurs
First posted on 05 December 2012.
Source: MicrosoftAliases :
Trojan:Win32/Necurs is also known as Win32/TojanDownloader.Necurs.B (ESET), Trojan-Dropper.Win32.Necurs.va (Kaspersky).
Explanation :
Trojan:Win32/Necurs is a family of malware that work together to download additional malware and enable backdoor access and control of your computer.
The malware can be installed on its own or alongside rogue security software, such as Rogue:Win32/Winwebsec.
Installation
Trojan:Win32/Necurs is downloaded onto your computer via a drive-by download when you access compromised or infected websites.
The malware downloads itself into the folder "%windir%\Installer\<random GUID>", where <random GUID> is a unique number that identifies your computer, for example "%windir%\Installer\{df3d9e18-342c-8c07-8dab-13e76d8b4322}".
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".
In the wild, we have observed Trojan:Win32/Necurs use the name "syshost.exe" and one of the following icons:
Trojan:Win32/Necurs attempts to install itself as an auto-starting Windows service in order to run itself automatically after your computer restarts.
If this service installation fails, Trojan:Win32/Necurs modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "syshost32"
With data: "%windir%\Installer\<random GUID>\syshost.exe"
Payload
Disables security software
Variants of Trojan:Win32/Necurs drop and run an additional component, detected as Trojan:WinNT/Necurs.A. This component prevents a large number of security applications from functioning correctly, including applications from the following companies:
- Agnitum
- ALWIL
- Avira
- Beijing Jiangmin
- Beijing Rising
- BitDefender
- BullGuard
- Check Point Software Technologies
- CJSC Returnil
- Comodo Security Solutions
- Doctor Web
- ESET
- FRISK
- G DATA
- GRISOFT
- Immunet
- K7 Computing
- Kaspersky Lab
- Microsoft
- NovaShield
- Panda
- PC Tools
- Quick Heal Technologies
- Sunbelt
- Symantec
- VirusBuster
The component can run on both 32-bit and 64-bit systems.
Disables firewall
Variants of Trojan:Win32/Necurs can disable the firewall by running the following command:
<system folder>\netsh.exe" firewall set opmode mode=DISABLE profile=ALL
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
Injects code
Some variants of Trojan:Win32/Necurs can inject code into all running processes. The injected code is known as a "dead byte"; certain system processes will cause your computer to restart if they are injected with this code.
Contacts remote hosts
Trojan:Win32/Necurs contacts a remote host for command and control instructions via HTTP port 80.
The malware's authors frequently update the list of hosts, however we have observed it attempting to connect to the following URLs:
- hxxp://pbmwtovcjeyvnauw.in/cgi-bin/auth.cgi
- hxxp://dnsplast.com/cgi-bin/auth.cgi
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer, including:
- The version of Windows you are using
- Information about the region and language settings of your computer
- Information about Trojan:Win32/Necurs's installation or configuration
In older variants Trojan:Win32/Necurs can be used to download rogue security software, such as Rogue:Win32/Winwebsec.
Newer variants have been observed receiving and loading a malicious DLL component from the remote host for the purpose of sending spam emails via Gmail.
Trojan:Win32/Necurs saves a copy of the component as "<random GUID>.tmps" to the %TEMP% folder, for example "%TEMP%\7ea7a638-d659-97f6-31a1-3ce2eaf08942.tmps".
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
The component obtains your computer's external IP address, which it sends back to the remote host.
The component then receives information from the remote host which it uses to send spam emails via Gmail.
Additional information
When dropping the Trojan:WinNT/Necurs.A component on a 64-bit computer, Trojan:Win32/Necurs runs the command "bcdedit.exe -set TESTSIGNING ON" to bypass kernel patch protection (commonly known as "PatchGuard").
All data sent and received by Trojan:Win32/Necurs is encrypted and signed with an MD5 or SHA1 encryption key.
Related encyclopedia entries
Rogue:Win32/Winwebsec
Trojan:WinNT/Necurs.A
Analysis by Tim Liu
Last update 05 December 2012