Follow:

 

Trojan:WinNT/Necurs.A


Microsoft security software detects and removes this threat.

This trojan can stop a number of security programs from working on your PC. It can also monitor what you do online.

It can be installed by other members of the Trojan:Win32/Necurs family or by rogue security software, like Rogue:Win32/Winwebsec.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:WinNT/Necurs.A is dropped, installed and run by other malware, usually variants of the Trojan:Win32/Necurs family.

The trojan is dropped to the folder <system folder>\drivers. It uses a file name made up of random numbers and a .sys extension, for example 48142.sys.

Payload

Monitors system security access

Trojan:WinNT/Necurs.A monitors access to your PC registry to prevent modification or removal of its registry entries.

It can manipulate network traffic. For example, it can redirect web (HTTP) connections to the remote attacker for certain purposes, like filtering specific traffic or redirecting websites.

Disables security software

Trojan:WinNT/Necurs.A prevents a large list of security applications from functioning correctly, including applications from the following companies:

  • Agnitum
  • ALWIL
  • Avira
  • Beijing Jiangmin
  • Beijing Rising
  • BitDefender
  • BullGuard
  • Check Point Software Technologies
  • CJSC Returnil
  • Comodo Security Solutions
  • Doctor Web
  • ESET
  • FRISK
  • G DATA
  • GRISOFT
  • Immunet
  • K7 Computing
  • Kaspersky Lab
  • NovaShield
  • Panda
  • PC Tools
  • Quick Heal Technologies
  • Sunbelt
  • Symantec
  • VirusBuster
Additional information

Trojan:WinNT/Necurs.A hooks the following APIs to hinder detection and removal of the trojan:

  • NtOpenProcess
  • NtOpenThread

The trojan prevents the following security-related files from loading to enable its payload:

  • a2acc.sys
  • a2acc64.sys
  • a2gffi64.sys
  • a2gffx64.sys
  • a2gffx86.sys
  • ahnflt2k.sys
  • AhnRec2k.sys
  • AhnRghLh.sys
  • amfsm.sys
  • amm6460.sys
  • amm8660.sys
  • AntiLeakFilter.sys
  • antispyfilter.sys
  • AntiyFW.sys
  • ArfMonNt.sys
  • AshAvScan.sys
  • aswmonflt.sys
  • AszFltNt.sys
  • ATamptNt.sys
  • AVC3.SYS
  • AVCKF.SYS
  • avgmfi64.sys
  • avgmfrs.sys
  • avgmfx64.sys
  • avgmfx86.sys
  • avgntflt.sys
  • avmf.sys
  • BdFileSpy.sys
  • bdfm.sys
  • bdfsfltr.sys
  • caavFltr.sys
  • catflt.sys
  • cmdguard.sys
  • csaav.sys
  • cwdriver.sys
  • dkprocesshacker.sys
  • drivesentryfilterdriver2lite.sys
  • dwprot.sys
  • eamonm.sys
  • eeCtrl.sys
  • eeyehv.sys
  • eeyehv64.sys
  • eraser.sys
  • EstRkmon.sys
  • EstRkr.sys
  • fildds.sys
  • fortimon2.sys
  • fortirmon.sys
  • fortishield.sys
  • fpav_rtp.sys
  • fsfilter.sys
  • fsgk.sys
  • ggc.sys
  • HookCentre.sys
  • HookSys.sys
  • ikfilesec.sys
  • ino_fltr.sys
  • issfltr.sys
  • issregistry.sys
  • K7Sentry.sys
  • klbg.sys
  • kldback.sys
  • kldlinf.sys
  • kldtool.sys
  • klif.sys
  • kmkuflt.sys
  • KmxAgent.sys
  • KmxAMRT.sys
  • KmxAMVet.sys
  • KmxStart.sys
  • lbd.sys
  • MaxProtector.sys
  • mbam.sys
  • mfehidk.sys
  • mfencoas.sys
  • MiniIcpt.sys
  • mpFilter.sys
  • NanoAVMF.sys
  • NovaShield.sys
  • nprosec.sys
  • nregsec.sys
  • nvcmflt.sys
  • NxFsMon.sys
  • OADevice.sys
  • OMFltLh.sys
  • PCTCore.sys
  • PCTCore64.sys
  • pervac.sys
  • PktIcpt.sys
  • PLGFltr.sys
  • PSINFILE.SYS
  • PSINPROC.SYS
  • pwipf6.sys
  • PZDrvXP.sys
  • Rtw.sys
  • rvsmon.sys
  • sascan.sys
  • savant.sys
  • savonaccess.sys
  • SCFltr.sys
  • SDActMon.sys
  • SegF.sys
  • shldflt.sys
  • SMDrvNt.sys
  • snscore.sys
  • Spiderg3.sys
  • SRTSP.sys
  • SRTSP64.SYS
  • SRTSPIT.sys
  • ssfmonm.sys
  • ssvhook.sys
  • STKrnl64.sys
  • strapvista.sys
  • strapvista64.sys
  • THFilter.sys
  • tkfsavxp.sys
  • tkfsavxp64.sys
  • tkfsft.sys
  • tkfsft64.sys
  • tmevtmgr.sys
  • tmpreflt.sys
  • UFDFilter.sys
  • v3engine.sys
  • V3Flt2k.sys
  • V3Flu2k.sys
  • V3Ift2k.sys
  • V3IftmNt.sys
  • V3MifiNt.sys
  • Vba32dNT.sys
  • vcdriv.sys
  • vchle.sys
  • vcMFilter.sys
  • vcreg.sys
  • vradfil2.sys
  • ZxFsFilt.sys
Related encyclopedia entries

Trojan:Win32/Necurs

Rogue:Win32/Winwebsec

Analysis by Tim Liu


Symptoms

The following could indicate that you have this threat on your PC:

  • Your installed security application does not run correctly or does not run at all
  • You have this file:
     
    <system folder>\drivers\<random number>.sys

Prevention


Alert level: Severe
First detected by definition: 1.105.32.0
Latest detected by definition: 1.175.509.0 and higher
First detected on: May 19, 2011
This entry was first published on: May 19, 2011
This entry was updated on: Nov 16, 2014

This threat is also detected as:
  • Mal/Necurs-A (Sophos)
  • RTKT_NECURS.SMA (Trend Micro)
  • Trojan.Hosts.5268 (Dr.Web)
  • Trojan.Win32.Genome.aglua (Kaspersky)
  • Trojan.WinNT.Necurs (Ikarus)
  • Win32/SpamTool.Tedroo.AS (ESET)