Win32/TrojanDownloader.Necurs [Threat Name] go to Threat
Win32/TrojanDownloader.Necurs.A [Threat Variant Name]
Available cleaner [Download Necurs Cleaner ]
| Category | trojan |
| Aliases | Trojan-Downloader.Win32.Necurs.a (Kaspersky) |
| Trojan:Win32/Necurs.A (Microsoft) | |
| Downloader (Symantec) |
Short description
Win32/TrojanDownloader.Necurs.A is a trojan which tries to download other malware from the Internet. It uses techniques common for rootkits.
Installation
The trojan does not create any copies of itself.
The trojan drops one of the following files in the %system%\drivers\ folder:
- %variable1%.sys (34816 B)
- %variable2%.sys (43520 B)
A string with variable content is used instead of %variable1-2% .
The trojan installs one of the following system drivers (path, name):
- %system%\drivers\%variable1%.sys
- %system%\drivers\%variable2%.sys
In order to be executed on system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "%variable%" = "%malwarefilepath% afterreboot"
A string with variable content is used instead of %variable% .
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable1-2%]
- "ImagePath" = "%system%\drivers\%variable1-2%.sys"
- "Group" = "Boot Bus Extender"
- "ErrorControl" = 0
- "Type" = 1
- "Start" = 0
- "Tag" = 1
- "DisplayName" = ""
After the installation is complete, the trojan deletes the original executable file.
Other information
The trojan contains a list of (6) URLs.
It tries to download a file from the addresses. The HTTP protocol is used.
The file is stored in the following location:
- %temp%\%variable%.exe
A string with variable content is used instead of %variable% .
The file is then executed.
The trojan disables various security related applications.
The trojan may execute the following commands:
- bcdedit.exe -set TESTSIGNING ON
The trojan may perform operating system restart.