The Necurs Trojan is capable of:
- Modifying the computer's registry in order to make itself start after every reboot.
- Dropping additional components that prevents a large number of security applications from functioning correctly, including the ones manufactured by Avira, Kaspersky Lab, Symantec and Microsoft. According to Microsoft's researchers, Microsoft Security Essentials' real time protection option is often turned off after an infected computer has been rebooted.
- Disabling the running firewall
- Contacting a remote host for command and control instructions via HTTP port 80, and sometimes downloading and installing additional malware (mostly rogue AVs) and loading a malicious DLL component that allows attackers to send out spam via Gmail.
- Creating a permanent backdoor into the system, which allows attackers to gain complete control of the affected computer.
According to Microsoft researchers, the current proliferation of this particular malware family is due to the fact that it is being distributed largely by drive-by download, from websites hosting a variety of exploit kits, including the ever-popular Blackhole.
Microsoft offers a handy document that explains the malware's characteristics, the symptoms that a computer infected with Necurs would show, tips on preventing getting infected and on removing the threat if one finds it on their computer.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.