Win32/TrojanDownloader.Necurs [Threat Name] go to Threat

Win32/TrojanDownloader.Necurs.B [Threat Variant Name]

Available cleaner [Download Necurs Cleaner ]

Category trojan
Size 75776 B
Aliases Trojan-Dropper.Win32.Necurs.wgk (Kaspersky)
  Trojan:Win32/Necurs (Microsoft)
Short description

Win32/TrojanDownloader.Necurs.B is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself into the following location:

  • %windir%\­Installer\­{%variableguid%}\­syshost.exe

The trojan creates the following files:

  • %temp%\­variable.tmp

A string with variable content is used instead of %variableguid%, %variable% .

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­syshost32]
    • "ImagePath = ""%windir%\­Installer\­{variableGUID}\­syshost.exe" /service"
    • "ObjectName = "LocalSystem"
    • "Type" = 16
    • "Start" = 2
    • "%variable%" = "%variable%"
Other information

The trojan acquires data and commands from a remote computer or the Internet.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open ports
  • create Registry entries

The trojan quits immediately if it is run within a debugger.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan disables various security related applications.

Please enable Javascript to ensure correct displaying of this content and refresh this page.