Researchers have discovered a Gameover variant of the Zeus trojan that has been modified to include the Necurs rootkit, which makes the malware tougher to detect and remove by protecting files on the disk and memory.

“Once active, the rootkit protects the Gameover malware so that you can't delete it,” James Wyke, senior threat researcher with SophosLabs UK, wrote in a Feb. 27 post. “It also stops you killing off the Gameover process.”

This version of Gameover is delivered through fake invoice spam that contains Upatre downloader malware, Wyke wrote, explaining that the downloader unscrambles and launches an obfuscated and compressed copy of the malware.

The malware installs to the Application Data directory and is tied to the victim's computer, so it cannot be run anywhere else for analysis, Wyke wrote.