Win32/TrojanDownloader.Necurs [Threat Name] go to Threat

Win32/TrojanDownloader.Necurs.A [Threat Variant Name]

Available cleaner [Download Necurs Cleaner ]

Category trojan
Detection created May 24, 2011
Signature database version 10176
Aliases Trojan-Downloader.Win32.Necurs.a (Kaspersky)
  Trojan:Win32/Necurs.A (Microsoft)
  Downloader (Symantec)
Short description

Win32/TrojanDownloader.Necurs.A is a trojan which tries to download other malware from the Internet. It uses techniques common for rootkits.

Installation

The trojan does not create any copies of itself.


The trojan drops one of the following files in the %system%\drivers\ folder:

  • %variable1%.sys (34816 B)
  • %variable2%.sys (43520 B)

A string with variable content is used instead of %variable1-2% .


The trojan installs one of the following system drivers (path, name):

  • %system%\­drivers\­%variable1%.sys
  • %system%\­drivers\­%variable2%.sys

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%malwarefilepath% afterreboot"

A string with variable content is used instead of %variable% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable1-2%]
    • "ImagePath" = "%system%\­drivers\­%variable1-2%.sys"
    • "Group" = "Boot Bus Extender"
    • "ErrorControl" = 0
    • "Type" = 1
    • "Start" = 0
    • "Tag" = 1
    • "DisplayName" = ""

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan contains a list of (6) URLs.


It tries to download a file from the addresses. The HTTP protocol is used.


The file is stored in the following location:

  • %temp%\­%variable%.exe

A string with variable content is used instead of %variable% .


The file is then executed.


The trojan disables various security related applications.


The trojan may execute the following commands:

  • bcdedit.exe -set TESTSIGNING ON

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.