arrow_back
search
close

TROJ_NECURS.EE

September 30, 2013
 Analysis by: Andrei Castillo
 ALIASES:

Trojan:Win32/Necurs(Microsoft), a variant of Win32/Kryptik.BKUG trojan(NOD32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

52,736 bytes

File Type:

EXE

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Windows%\Installer\{UID}\syshost.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
39986757974eff1 = "{random hex values}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
75bffdfcb2ffecfb = "{random hex values}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ab666b181a0e1a89 = "{random hex values}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
d343c628ffe8d1ad = "{random hex values}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ErrorControl = "0"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ImagePath = ""%Windows%\Installer\{UID}\syshost.exe" /service"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
Start = "2"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
Type = "16"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
0 = "Root\LEGACY_SYSHOST32\0000"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
Count = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
NextInstance = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Security
Security = "{random hex values}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32
NextInstance = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
ClassGUID = "{GUID}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
ConfigFlags = "0"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
DeviceDesc = "syshost32"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
Legacy = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
Service = "syshost32"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000\Control
ActiveService = "syshost32"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Security

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000\Control

Other System Modifications

This Trojan creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://customer.{BLOCKED}tream.nl

It deletes itself after execution.