Also detected as:
RTKT_NECURS.SMA (Trend Micro),
The following could indicate that you have this threat on your PC:
detects and removes this threat.
This trojan can stop a number of security programs from working on your PC. It can also monitor what you do online.
It can be installed by other members of the Trojan:Win32/Necurs family or by rogue security software, like Rogue:Win32/Winwebsec.
Find out ways that malware can get on your PC.
The following free Microsoft software detects and removes this threat:
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
You can also visit the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Trojan:WinNT/Necurs.A is dropped, installed and run by other malware, usually variants of the Trojan:Win32/Necurs family.
The trojan is dropped to the folder <system folder>\drivers. It uses a file name made up of random numbers and a .sys extension, for example 48142.sys.
Monitors system security access
Trojan:WinNT/Necurs.A monitors access to your PC registry to prevent modification or removal of its registry entries.
It can manipulate network traffic. For example, it can redirect web (HTTP) connections to the remote attacker for certain purposes, like filtering specific traffic or redirecting websites.
Disables security software
Trojan:WinNT/Necurs.A prevents a large list of security applications from functioning correctly, including applications from the following companies:
Trojan:WinNT/Necurs.A hooks the following APIs to hinder detection and removal of the trojan:
The trojan prevents the following security-related files from loading to enable its payload:
Analysis by Tim Liu
Take these steps to help prevent infection on your PC.
I want to...
Note: Your feedback is important to us, however we do not respond to individual concerns through this channel.
If you require support, please visit the
Microsoft Answer Desk.
If you suspect that a file has been incorrectly identified as malware, you can submit the file for analysis.