[AaLl86]

I found this on a system, very interesting and runs as a service on the target system. Was unable to kill the PID using all methods of force I knew (TerminateProcess, terminate threads, closing handles, WM_DEstroy, attaching debugger and then killing it) It prevents the target user from launching new devices on the system and its root dir in C:\Windows\Installer is untouchable. Defeated by removing registry key from windows repair.
* Enables driver test signing mode
* installs two drivers and makes keys under HKLM\System\CurrentControlSet****\Services\
* Has target of syshost.exe in C:\windows\installer\{ }\
* Removes Windows Update related services including bits\wuauserv
* prevents loading of new drivers and continually closes handles to its files and keys

Very interesting by the way... I certainly try it... Thanks for sharing!!!
Andrea

[rkhunter]

Fresh research from MMPC - Unexpected reboot: Necurs
http://blogs.technet.com/b/mmpc/archive ... ecurs.aspx

Some notes [old post]
http://artemonsecurity.blogspot.ru/2011 ... ction.html

[R136a1]

Fresh analysis from rkhunter which describes the methods used for blocking security tools.

Necurs rootkit under the microscope: http://artemonsecurity.blogspot.de/2012 ... scope.html

[kmd]

hate to say that, but there is nothing *fresh* in this investigation.

excuse me, but everything except not really meaningful parts about loader (now comes with about each rootkit) was already posted by

I. Kaspersky lab http://www.securelist.com/en/blog?print ... blogid=473
II. this forum http://www.kernelmode.info/forum/viewto ... 7&start=10
http://www.kernelmode.info/forum/viewto ... =14&t=1177

does it really need reinvent the wheel for your blogposts?
or we are going now like it was before in tdl3 case - post numerous articles about the same?

[EP_X0FF]

hate to say that, but there is nothing *fresh* in this investigation.

excuse me, but everything except not really meaningful parts about loader (now comes with about each rootkit) was already posted by

I. Kaspersky lab http://www.securelist.com/en/blog?print ... blogid=473
II. this forum http://www.kernelmode.info/forum/viewto ... 7&start=10
http://www.kernelmode.info/forum/viewto ... =14&t=1177

does it really need reinvent the wheel for your blogposts?
or we are going now like it was before in tdl3 case - post numerous articles about the same?

If so then it is frustrating and disappointing.

[R136a1]

Even if it's the "same" information, I wouldn't say it was intended (probably overlooked). I see it as a good summary of different Necurs techniques.

[rkhunter]

hate to say that, but there is nothing *fresh* in this investigation.

excuse me, but everything except not really meaningful parts about loader (now comes with about each rootkit) was already posted by

I. Kaspersky lab http://www.securelist.com/en/blog?print ... blogid=473
II. this forum http://www.kernelmode.info/forum/viewto ... 7&start=10
http://www.kernelmode.info/forum/viewto ... =14&t=1177

does it really need reinvent the wheel for your blogposts?
or we are going now like it was before in tdl3 case - post numerous articles about the same?

Your critics very important, thank you. Hope there are a lot of people who love my research and can gain useful info.

[rkhunter]

http://code.google.com/p/malware-lu/wik ... s_analysis

[bao]

pass: infected

https://www.virustotal.com/file/611fc9f ... 358592178/

[TwinHeadedEagle]

Mouse doesn't work with this malware...