Trojan.Necurs.A

Posted: September 30, 2011

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	14,614
Threat Level:	8/10
Infected PCs:	2,298

First Seen:	September 30, 2011
Last Seen:	July 31, 2023
OS(es) Affected:	Windows

Trojan.Necurs.A is a member of a family of rootkits with backdoor and downloader functions, letting them compromise the security of your PC for remote control and install specialized threats for other attacks. While only limited information about Trojan.Necurs.A currently is available, malware researchers have noticed its presence in recent payloads of Trojan Zeus, a well-distributed and regularly-updated spyware Trojan that focuses on compromising bank accounts. Targeted e-mail attacks and drive-by-downloads from harmful websites are the two distribution methods that seem to be at fault for the new rise in Trojan.Necurs.A infections, and malware experts consider the removal of Trojan.Necurs.A with reliable anti-malware products to be an urgent priority for your PC's safety.

The Trojan that's Happy to Weave a Curse on Your PC's Security

Trojan.Necurs.A is one of the newest versions of Necurs to be distributed with some help from other high-level PC threats. Past Necurs attacks have involved such hazards as the Blackhole Exploit Kit (a drive-by-download attacker) and WinWebSec (a family of fake security programs), whereas Trojan.Necurs.A is primarily associated with a rise in United States-targeted e-mail attacks. These attacks use fake delivery notifications and similar formats to trick victims into opening a harmful file attachment containing the Trojan Upatre. Upatre installs a variant of Zeus, which you'll know about if you've read many of our previous articles, while Zeus also installs Trojan.Necurs.A (since, besides being a potent banking Trojan, Zeus also includes functions for downloading other threats).

Trojan.Necurs.A's full capabilities still are under analysis, although malware experts estimate that Trojan.Necurs.A most likely is intended to be an anti-security measure for protecting other PC threats installed by the same e-mail. Trojan.Necurs.A may block security programs, open a backdoor vulnerability on your PC to let criminals access it, install new types of risky software or upload data stolen by other means to a criminal-controlled server.

Even though Necurs rootkits sometimes are involved with payloads that show major symptoms, like WinWebSec, these latest attacks with Trojan.Necurs.A all use PC threats that try to hide themselves. As a result, symptoms of the infection may be minimal – especially without anti-malware utilities to detect Trojan.Necurs.A.

Dispelling Trojan.Necurs.A Before It Can Expel Your Money

Trojan.Necurs.A and the other threat related to Trojan.Necurs.A are especially well-known for the advanced programming involved in their attacks and anti-security features, and also for targeting personal information such as account passwords for your bank account. Even though you may not see any obvious signs of something wrong with your computer, malware experts always consider a Trojan.Necurs.A infection to be a high-level security and privacy hazard. Deleting Trojan.Necurs.A immediately, and with proper anti-malware tools, is paramount for the future security of any infected computer.

By the raw numbers of infections, these recent attacks using Trojan.Necurs.A installations are distinctly an issue for the United States. Despite that, other countries also have been targeted, although in much smaller numbers than those for the US. Regardless, no matter where you live, opening an e-mail attachment without confirming its safety first never is wise, and malware experts consider it best to scan any suspicious attachment to block Trojan.Necurs.A, Zeus or other threat from sneaking into your hard drive.

Aliases

Trj/Dtcontx.D [Panda]Generic32.BSSV [AVG]W32/Kryptik.AYQT [Fortinet]Mal/Generic-S [Sophos]TR/Symmi.18765 [AntiVir]Trojan-Dropper.Win32.Necurs.pfa [Kaspersky]PWS-Zbot-FASG!23C68A52087F [McAfee]Dropper.Generic8.WEG [AVG]TR/Crypt.ZPACK.Gen [AntiVir]Trojan-Dropper.Win32.Necurs.pfc [Kaspersky]BackDoor.Generic15.CMMC [AVG]Win-Trojan/Necurs.59776 [AhnLab-V3]TrojWare.Win32.UMal.~A [Comodo]Troj/Necurs-M [Sophos]Rootkit.Win32.Necurs.he [Kaspersky]
More aliases (628)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%WINDIR%\Installer\{5B53ECA5-8044-9EDF-9AEC-21897AD44412}\syshost.exe

File name: syshost.exe
Size: 92.75 KB (92753 bytes)
MD5: c6139282423971fd961a99fd48cfd635
Detection count: 197
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{5B53ECA5-8044-9EDF-9AEC-21897AD44412}
Group: Malware file
Last Updated: September 15, 2020

%WINDIR%\Installer\{C51CD8C5-072C-DB07-4048-5A052023D288}\syshost.exe

File name: syshost.exe
Size: 86.01 KB (86016 bytes)
MD5: cd4934ee00ecd68a87e684ffac2a3819
Detection count: 157
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{C51CD8C5-072C-DB07-4048-5A052023D288}
Group: Malware file
Last Updated: December 17, 2012

%LOCALAPPDATA%\{7F7804DC-CF9B-163F-9DBF-89127C254777}\syshost.exe

File name: syshost.exe
Size: 94.72 KB (94720 bytes)
MD5: 4d03b81a2409097c1ea703d39cc4ff58
Detection count: 82
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{7F7804DC-CF9B-163F-9DBF-89127C254777}
Group: Malware file
Last Updated: November 27, 2012

%WINDIR%\system32\drivers\662f2.sys

File name: 662f2.sys
Size: 58.11 KB (58112 bytes)
MD5: 4e760d8f966a1d9f3bbe4afeb336e9da
Detection count: 73
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32\drivers
Group: Malware file
Last Updated: January 5, 2013

%LOCALAPPDATA%\{1D9B21C7-E492-A47B-D6D2-2891B56055AF}\syshost.exe

File name: syshost.exe
Size: 59.39 KB (59392 bytes)
MD5: 23c68a52087f53e7ddcf8d3e216f4575
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{1D9B21C7-E492-A47B-D6D2-2891B56055AF}
Group: Malware file
Last Updated: May 3, 2013

%LOCALAPPDATA%\{A050A9C8-3F85-BBDB-FA3A-C398DA1BAE58}\syshost.exe

File name: syshost.exe
Size: 92.75 KB (92755 bytes)
MD5: 4b2007c8630d9772a362e8bce899feed
Detection count: 54
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{A050A9C8-3F85-BBDB-FA3A-C398DA1BAE58}
Group: Malware file
Last Updated: November 19, 2012

%WINDIR%\System32\drivers\86dadcaae13b6bc6.sys

File name: 86dadcaae13b6bc6.sys
Size: 59.13 KB (59136 bytes)
MD5: 279e87cc664b6e77c05560e45ef517f1
Detection count: 51
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\System32\drivers
Group: Malware file
Last Updated: March 29, 2013

%WINDIR%\System32\drivers\61a57491bc0649b8.sys

File name: 61a57491bc0649b8.sys
Size: 46.26 KB (46264 bytes)
MD5: 8c55911cde8dd5c45e6be123f6ceaca1
Detection count: 45
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\System32\drivers
Group: Malware file
Last Updated: December 18, 2012

%WINDIR%\system32\drivers\5071c.sys

File name: 5071c.sys
Size: 69.19 KB (69192 bytes)
MD5: 8f9ebee084f45c6b7378ea9c3bbbcea5
Detection count: 36
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32\drivers
Group: Malware file
Last Updated: March 4, 2013

%WINDIR%\Installer\{15CEC7CB-5985-C264-5E1F-D23C3DB00964}\syshost.exe

File name: syshost.exe
Size: 344.06 KB (344064 bytes)
MD5: 1e18990138c5b36fbab93508a35ba3d9
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{15CEC7CB-5985-C264-5E1F-D23C3DB00964}
Group: Malware file
Last Updated: December 17, 2012

%WINDIR%\Installer\{76CD3219-4601-63C5-A651-E4BA85FE5848}\syshost.exe

File name: syshost.exe
Size: 59.39 KB (59392 bytes)
MD5: f08d40789dfd5348c6171bd1b682c3d2
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{76CD3219-4601-63C5-A651-E4BA85FE5848}
Group: Malware file
Last Updated: January 14, 2013

%LOCALAPPDATA%\{E31AC82A-97D2-7521-5783-7E8936990836}\syshost.exe

File name: syshost.exe
Size: 78.33 KB (78336 bytes)
MD5: 4e8740f7d4a63780b793ff329aa06dbb
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{E31AC82A-97D2-7521-5783-7E8936990836}
Group: Malware file
Last Updated: December 17, 2012

%WINDIR%\System32\drivers\e9ed568f444e0f0f.sys

File name: e9ed568f444e0f0f.sys
Size: 63.1 KB (63104 bytes)
MD5: 45965a29086a6943c08951dc7061eeab
Detection count: 16
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\System32\drivers
Group: Malware file
Last Updated: December 20, 2012

%LOCALAPPDATA%\{330BEB4C-647F-B2DB-0D7C-303EEB1C799F}\syshost.exe

File name: syshost.exe
Size: 131.07 KB (131072 bytes)
MD5: 72558c18808bfb177a97edb89579ea33
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{330BEB4C-647F-B2DB-0D7C-303EEB1C799F}
Group: Malware file
Last Updated: January 21, 2013

%WINDIR%\Installer\{3CEBE55F-F9BA-6F1D-8B8D-A00E6B413EA2}\syshost.exe

File name: syshost.exe
Size: 131.07 KB (131072 bytes)
MD5: d74e19ec9a2e15dcb729ce0d9e80f0b5
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{3CEBE55F-F9BA-6F1D-8B8D-A00E6B413EA2}
Group: Malware file
Last Updated: January 21, 2013

%LOCALAPPDATA%\{B88B43D0-D723-2B15-73EF-722253A721E6}\syshost.exe

File name: syshost.exe
Size: 58.88 KB (58880 bytes)
MD5: 7063a79e9065bdb51072478eca7a470c
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{B88B43D0-D723-2B15-73EF-722253A721E6}
Group: Malware file
Last Updated: April 22, 2013

%LOCALAPPDATA%\{91C516BA-3E3F-EF98-5FDD-906B3F98D601}\syshost.exe

File name: syshost.exe
Size: 77.31 KB (77312 bytes)
MD5: e83db43e34e255827142a4cbfbdaaed3
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{91C516BA-3E3F-EF98-5FDD-906B3F98D601}
Group: Malware file
Last Updated: December 24, 2012

%WINDIR%\Installer\{98604526-2F19-C0D3-EE76-A3E9CDD37BB6}\syshost.exe

File name: syshost.exe
Size: 131.07 KB (131072 bytes)
MD5: 99ac1d4016006c620f39831f8cac1d4c
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{98604526-2F19-C0D3-EE76-A3E9CDD37BB6}
Group: Malware file
Last Updated: January 21, 2013

%WINDIR%\Installer\{F8DB820D-F5A1-E7F5-80B9-243E60676F3F}\syshost.exe

File name: syshost.exe
Size: 339.96 KB (339968 bytes)
MD5: b382cffc99c8b706753443baf35fc3c8
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{F8DB820D-F5A1-E7F5-80B9-243E60676F3F}
Group: Malware file
Last Updated: April 8, 2013

%WINDIR%\Installer\{A8124A5A-78F1-76CC-752E-826F551BD3AD}\syshost.exe

File name: syshost.exe
Size: 77.82 KB (77824 bytes)
MD5: 1b5260af2477da7dbd3b77e37ddd67cc
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{A8124A5A-78F1-76CC-752E-826F551BD3AD}
Group: Malware file
Last Updated: December 26, 2012

%LOCALAPPDATA%\{F653C49E-BACF-974D-4247-8E7020139C38}\syshost.exe

File name: syshost.exe
Size: 151.55 KB (151552 bytes)
MD5: 1348a9c29b1cb4a911bfaa760f523326
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{F653C49E-BACF-974D-4247-8E7020139C38}
Group: Malware file
Last Updated: January 14, 2013

%WINDIR%\Installer\{EEE9D395-AC97-337F-0BED-9C17EB9A3F50}\syshost.exe

File name: syshost.exe
Size: 77.82 KB (77824 bytes)
MD5: af749b21f2719896d5408c1216c83188
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{EEE9D395-AC97-337F-0BED-9C17EB9A3F50}
Group: Malware file
Last Updated: December 28, 2012

%WINDIR%\Installer\{BA4D53F4-8960-DEE1-E647-77C4C6329782}\syshost.exe

File name: syshost.exe
Size: 131.07 KB (131072 bytes)
MD5: 288b452a915d0ca9e7bb7157f25d0eb9
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\Installer\{BA4D53F4-8960-DEE1-E647-77C4C6329782}
Group: Malware file
Last Updated: January 21, 2013

%LOCALAPPDATA%\{676D58CC-CE66-F3ED-2777-82B70758DAD0}\syshost.exe

File name: syshost.exe
Size: 151.55 KB (151552 bytes)
MD5: e065429e5ac3c94cd79b3eeb94a9f4e9
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\{676D58CC-CE66-F3ED-2777-82B70758DAD0}
Group: Malware file
Last Updated: January 21, 2013

121ecb4.sys

File name: 121ecb4.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

41fb2af0cd745ae6.exe

File name: 41fb2af0cd745ae6.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

edsmgr.exe

File name: edsmgr.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

More files