Also detected as:
RTKT_NECURS.SMA (Trend Micro),
The following could indicate that you have this threat on your PC:
detects and removes this threat.
This trojan can stop a number of security programs from working on your PC. It can also monitor what you do online.
It can be installed by other members of the Trojan:Win32/Necurs family or by rogue security software, like Rogue:Win32/Winwebsec.
Find out ways that malware can get on your PC.
The following free Microsoft software detects and removes this threat:
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
You can also visit the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Trojan:WinNT/Necurs.A is dropped, installed and run by other malware, usually variants of the Trojan:Win32/Necurs family.
The trojan is dropped to the folder <system folder>\drivers. It uses a file name made up of random numbers and a .sys extension, for example 48142.sys.
Monitors system security access
Trojan:WinNT/Necurs.A monitors access to your PC registry to prevent modification or removal of its registry entries.
It can manipulate network traffic. For example, it can redirect web (HTTP) connections to the remote attacker for certain purposes, like filtering specific traffic or redirecting websites.
Disables security software
Trojan:WinNT/Necurs.A prevents a large list of security applications from functioning correctly, including applications from the following companies:
Trojan:WinNT/Necurs.A hooks the following APIs to hinder detection and removal of the trojan:
The trojan prevents the following security-related files from loading to enable its payload:
Analysis by Tim Liu
Take these steps to help prevent infection on your PC.
I want to...
Note: Your feedback is very important to us, however, we do not respond to individual submissions through this channel.
If you require support, please visit the
Safety & Security Center.