Installation
It is downloaded onto your PC via a drive-by download when you access compromised or infected websites.
It can be installed on its own or alongside rogue security software, such as Rogue:Win32/Winwebsec. We have also observed it being installed by variants of the Blacole family, the Win32/Beebone family, the Win32/Zbot family, and the Win32/Dorkbot family.
The malware downloads itself into the folder %windir%\Installer\<random GUID>, where <random GUID> is a unique number that identifies your PC, for example %windir%\Installer\{df3d9e18-342c-8c07-8dab-13e76d8b4322}.
In the wild, we have seen it use the name syshost.exe and one of the following icons:
The threat tries to install itself as an auto-starting Windows service to run automatically after your PC restarts.
If this service installation fails, Trojan:Win32/Necurs changes the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "syshost32"
With data: "%windir%\Installer\<random GUID>\syshost.exe"
We have also seen some variants of
Trojan:Win32/Necurs disabling your firewall.
Payload
Disables security software
Variants of the threat drop and run an additional component, detected as Trojan:WinNT/Necurs.A. This component prevents a large number of security applications from functioning correctly, including applications from the following companies:
- Agnitum
- ALWIL
- Avira
- Beijing Jiangmin
- Beijing Rising
- BitDefender
- BullGuard
- Check Point Software Technologies
- CJSC Returnil
- Comodo Security Solutions
- Doctor Web
- ESET
- FRISK
- G DATA
- GRISOFT
- Immunet
- K7 Computing
- Kaspersky Lab
- Microsoft
- NovaShield
- Panda
- PC Tools
- Quick Heal Technologies
- Sunbelt
- Symantec
- VirusBuster
The component can run on both 32-bit and 64-bit systems.
Contacts remote hosts
Trojan:Win32/Necurs contacts a remote host for command and control instructions via HTTP port 80.
The malware's authors frequently update the list of hosts, however we have seen it trying to connect to the following URLs:
- hxxp://pbmwtovcjeyvnauw.in/cgi-bin/auth.cgi
- hxxp://dnsplast.com/cgi-bin/auth.cgi
Commonly, malware might contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and run arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected PC, including:
- The version of Windows you are using
- Information about the region and language settings of your PC
- Information about Trojan:Win32/Necurs's installation or configuration
In older variants Trojan:Win32/Necurs can be used to download rogue security software, such as Rogue:Win32/Winwebsec.
Newer variants have been observed receiving and loading a malicious DLL component from the remote host for the purpose of sending spam emails via Gmail.
Trojan:Win32/Necurs saves a copy of the component as <random GUID>.tmps to the %TEMP% folder, for example %TEMP%\7ea7a638-d659-97f6-31a1-3ce2eaf08942.tmps.
The component gets your PC's external IP address which it sends back to the remote host.
The component then receives information from the remote host which it uses to send spam emails via Gmail.
Additional information
Some variants of Trojan:Win32/Necurs can inject code into all running processes. The injected code is known as a "dead byte"; certain system processes will cause your PC to restart if they are injected with this code.
When dropping the Trojan:WinNT/Necurs.A component on a 64-bit PC, Trojan:Win32/Necurs bypasses kernel patch protection (commonly known as "PatchGuard").
All data sent and received by Trojan:Win32/Necurs is encrypted and signed with an MD5 or SHA1 encryption key.
Related encyclopedia entries
Rogue:Win32/Winwebsec
Trojan:WinNT/Necurs.A
Win32/Sirefef
Win32/Medfos
Blacole
Win32/Beebone
Win32/Dorkbot
Win32/Zbot
Analysis by Tim Liu
