TROJ_NECURS.EE
Trojan:Win32/Necurs(Microsoft), a variant of Win32/Kryptik.BKUG trojan(NOD32)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
52,736 bytes
EXE
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Windows%\Installer\{UID}\syshost.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
39986757974eff1 = "{random hex values}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
75bffdfcb2ffecfb = "{random hex values}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ab666b181a0e1a89 = "{random hex values}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
d343c628ffe8d1ad = "{random hex values}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ErrorControl = "0"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ImagePath = ""%Windows%\Installer\{UID}\syshost.exe" /service"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
Start = "2"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
Type = "16"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
0 = "Root\LEGACY_SYSHOST32\0000"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
Count = "1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
NextInstance = "1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Security
Security = "{random hex values}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32
NextInstance = "1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
Class = "LegacyDriver"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
ClassGUID = "{GUID}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
ConfigFlags = "0"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
DeviceDesc = "syshost32"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
Legacy = "1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
Service = "syshost32"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000\Control
ActiveService = "syshost32"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Enum
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\syshost32\Security
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\LEGACY_SYSHOST32\
0000\Control
Other System Modifications
This Trojan creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = "0"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://customer.{BLOCKED}tream.nl
It deletes itself after execution.