RTKT_NECURS.BGSF

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• TSPY_ZBOT.TYZAR
• TSPY_ZBOT.EFNA

Installation

This Trojan drops the following copies of itself into the affected system:

• %System%\drivers\{random}.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Rootkit Capabilities

This Trojan is used by other malware for its rootkit functionalities.

Other Details

This Trojan deletes the initially executed copy of itself

NOTES:

This Trojan disables services used by the following companies by modifying its code to return to unsuccessful status:

• Agnitum Ltd
• ALWIL Software
• PC Tools
• GRISOFT, s.r.o.
• Avira GmbH
• BITDEFENDER LLC
• BitDefender SRL
• Comodo Inc
• Doctor Web Ltd
• ESET, spol. s r.o.
• FRISK Software International Ltd
• Kaspersky Lab
• Panda Software International
• Check Point Software Technologies Ltd
• BullGuard Ltd
• antimalware
• NovaShield Inc
• CJSC Returnil Software
• Anti-Virus
• Sophos Plc
• Comodo Security Solutions
• Quick Heal Technologies
• G DATA Software
• Beijing Rising
• Immunet Corporation
• K7 Computing
• Sunbelt Software
• SUNBELT SOFTWARE
• Beijing Jiangmin
• VirusBuster Ltd
• KProcessHacker

This Trojan disables drivers with the following names by modifying its code to return to unsuccessful status:

• eeCtrl.sys
• eraser.sys
• SRTSP.sys
• SRTSPIT.sys
• SRTSP64.SYS
• a2gffx86.sys
• a2gffx64.sys
• a2gffi64.sys
• a2acc.sys
• a2acc64.sys
• mbam.sys
• eamonm.sys
• MaxProtector.sys
• SDActMon.sys
• tmevtmgr.sys
• tmpreflt.sys
• vcMFilter.sys
• drivesentryfilterdriver2lite.sys
• mpFilter.sys
• PSINPROC.SYS
• PSINFILE.SYS
• amfsm.sys
• amm8660.sys
• amm6460.sys
• caavFltr.sys
• ino_fltr.sys
• avmf.sys
• PLGFltr.sys
• AshAvScan.sys
• csaav.sys
• SegF.sys
• eeyehv.sys
• eeyehv64.sys
• NovaShield.sys
• BdFileSpy.sys
• tkfsft.sys
• tkfsft64.sys
• tkfsavxp.sys
• tkfsavxp64.sys
• SMDrvNt.sys
• ATamptNt.sys
• V3Flt2k.sys
• V3MifiNt.sys
• V3Ift2k.sys
• V3IftmNt.sys
• ArfMonNt.sys
• AhnRghLh.sys
• AszFltNt.sys
• OMFltLh.sys
• V3Flu2k.sys
• vcdriv.sys
• vcreg.sys
• vchle.sys
• NxFsMon.sys
• AntiLeakFilter.sys
• NanoAVMF.sys
• shldflt.sys
• nprosec.sys
• nregsec.sys
• issregistry.sys
• THFilter.sys
• pervac.sys
• avgmfx86.sys
• avgmfx64.sys
• avgmfi64.sys
• avgmfrs.sys
• fortimon2.sys
• fortirmon.sys
• fortishield.sys
• savonaccess.sys
• OADevice.sys
• pwipf6.sys
• EstRkmon.sys
• EstRkr.sys
• dwprot.sys
• Spiderg3.sys
• STKrnl64.sys
• UFDFilter.sys
• SCFltr.sys
• fildds.sys
• fsfilter.sys
• fpav_rtp.sys
• cwdriver.sys
• Rtw.sys
• HookSys.sys
• snscore.sys
• ssvhook.sys
• strapvista.sys
• strapvista64.sys
• sascan.sys
• savant.sys
• vradfil2.sys
• fsgk.sys
• PCTCore64.sys
• PCTCore.sys
• ikfilesec.sys
• ZxFsFilt.sys
• antispyfilter.sys
• PZDrvXP.sys
• ggc.sys
• catflt.sys
• kmkuflt.sys
• mfencoas.sys
• mfehidk.sys
• cmdguard.sys
• K7Sentry.sys
• nvcmflt.sys
• issfltr.sys
• AVCKF.SYS
• bdfsfltr.sys
• bdfm.sys
• AVC3.SYS
• aswmonflt.sys
• HookCentre.sys
• PktIcpt.sys
• MiniIcpt.sys
• avgntflt.sys
• klbg.sys
• kldback.sys
• kldlinf.sys
• kldtool.sys
• klif.sys
• lbd.sys
• rvsmon.sys
• ssfmonm.sys
• KmxAgent.sys
• KmxAMRT.sys
• KmxAMVet.sys
• KmxStart.sys
• ahnflt2k.sys
• AhnRec2k.sys
• AntiyFW.sys
• v3engine.sys
• Vba32dNT.sys
• kprocesshacker.sys