Multipurpose Necurs Trojan infects over 83,000 computers

The polivalent Necurs malware family has been wreaking havoc in November by infecting over 83,000 unique computers – and that are only the ones detected by Microsoft’s solutions!

The Necurs Trojan is capable of:

• Modifying the computer’s registry in order to make itself start after every reboot.
• Dropping additional components that prevents a large number of security applications from functioning correctly, including the ones manufactured by Avira, Kaspersky Lab, Symantec and Microsoft. According to Microsoft’s researchers, Microsoft Security Essentials’ real time protection option is often turned off after an infected computer has been rebooted.
• Disabling the running firewall
• Contacting a remote host for command and control instructions via HTTP port 80, and sometimes downloading and installing additional malware (mostly rogue AVs) and loading a malicious DLL component that allows attackers to send out spam via Gmail.
• Creating a permanent backdoor into the system, which allows attackers to gain complete control of the affected computer.

Necurs uses MD5 and SHA1 to encrypt its network traffic data when sending or receiving, and contains a regularly updated driver that protects every Necurs component from being removed

According to Microsoft researchers, the current proliferation of this particular malware family is due to the fact that it is being distributed largely by drive-by download, from websites hosting a variety of exploit kits, including the ever-popular Blackhole.

Microsoft offers a handy document that explains the malware’s characteristics, the symptoms that a computer infected with Necurs would show, tips on preventing getting infected and on removing the threat if one finds it on their computer.