Trojan:WinNT/Necurs, rootkit and Advanced PC Shield 2012


One of the computers in my office got infected by Trojan:WinNT/Necurs. It installed a rootkit.
Hidden service: 501fe1599aea8c1.sys
File location C:\WINDOWS\System32\Drivers\501fe1599aea8c1.sys

As if that wasn’t bad enough, the virus also installed a fake anti virus product called Advanced PC Shield 2012, here’s what it looks like

Comodo Antivirus didn’t detect this malware. Malwarebytes and some other tools won’t even run. TDSSKiller found suspicious service but was unable to cure it. I managed to find the dropper. The malicious system files was locked, however, I was able to make a copy of it using GMER. I don’t know how to send those files to you guys, so I attached them here. Archive password = infected

Please update your antivirus software. I do not want to run into this again. Thanks!!!

mod edit: removed malware file and submitted to comodo, thanks.

how do you have CIS configured, this should have easily been stopped by the sandbox/D+.

Next time you want to submit malware to Comodo please follow Submit Malware Here To Be Blacklisted - 2011 (NO LIVE MALWARE!) to submit.

Just use the AVP tool…

Fill in the short form and download will start…Install,update and scan…and choose to delete if disinfections is not possible:wink: