1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Necurs Activity

System Infected: Trojan.Necurs Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Necurs activity on the infected machine.

Additional Information

Trojan.Necurs drops the following file:

%windir%\installer\{GUID}\syshost.exe

where {GUID} is a random 16-digit hexadecimal number.

It installs its dropped file as a service with the display name "Syshost.exe" and the group name "Boot Bus Extender". Installing itself as a service allows it to run every time Windows starts.

Affected

  • Various Microsoft Windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube