Virus:TR/KillAV.FT
Date discovered:27/09/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:98.304 Bytes
MD5 checksum:e7ea0b0fac0d30110346912c02f14f50
VDF version:6.32.0.45

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.KillAV.ft
   •  VirusBuster: Trojan.KillAV.CE
   •  Bitdefender: Trojan.Win32.KillAV.FT


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Disable security applications
   • Downloads files
   • Lowers security settings

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\start menu\programs\startup\office.exe



It copies the following files:
    •  %malware execution directory%\data.dat into %TEMPDIR%\setup.msi
    •  %malware execution directory%\setup.dat into %TEMPDIR%\setup.exe
    •  %malware execution directory%\setup.ini into %TEMPDIR%\setup.ini



It deletes the following files:
   • %TEMPDIR%\setup.msi
   • %TEMPDIR%\setup.exe
   • %TEMPDIR%\setup.ini
   • C:\temp\ftp.txt
   • %WINDIR%\up.bat
   • C:\temp\un.reg



The following files are created:

%WINDIR%\up.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
– C:\temp\ftp.txt



It tries to download some files:

– The locations are the following:
   • 16286.**********com/update.exe
   • 19427.**********com/update.exe
   • 20984.**********com/update.exe
   • 2441.**********com/update.exe
   • 31615.**********com/update.exe
   • 33895.**********com/update.exe
   • 3556.**********com/update.exe
   • 40293.**********com/update.exe
   • 4368.**********com/update.exe
   • 44628.**********com/update.exe
   • 45612.**********com/update.exe
   • 54668.**********com/update.exe
   • 55846.**********com/update.exe
   • 58275.**********com/update.exe
   • 58949.**********com/update.exe
   • 6118.**********com/update.exe
   • 62708.**********com/update.exe
   • 67414.**********com/update.exe
   • 69655.**********com/update.exe
   • 70411.**********com/update.exe
   • 72170.**********com/update.exe
   • 75858.**********com/update.exe
   • 78401.**********com/update.exe
   • 82935.**********com/update.exe
   • 83859.**********com/update.exe
   • 84483.**********com/update.exe
   • 88198.**********com/update.exe
   • 90926.**********com/update.exe
   • 95304.**********com/update.exe
   • 99956.**********com/update.exe
   • bzeva.**********org/update.exe
   • jzcva.**********org/update.exe
   • updates.**********org/update.exe
   • zcava.**********org/update.exe
It is saved on the local hard drive under: C:\temp\update.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The locations are the following:
   • 16286.**********com/un.reg
   • 19427.**********com/un.reg
   • 20984.**********com/un.reg
   • 2441.**********com/un.reg
   • 31615.**********com/un.reg
   • 33895.**********com/un.reg
   • 3556.**********com/un.reg
   • 40293.**********com/un.reg
   • 4368.**********com/un.reg
   • 44628.**********com/un.reg
   • 45612.**********com/un.reg
   • 54668.**********com/un.reg
   • 55846.**********com/un.reg
   • 58275.**********com/un.reg
   • 58949.**********com/un.reg
   • 6118.**********com/un.reg
   • 62708.**********com/un.reg
   • 67414.**********com/un.reg
   • 69655.**********com/un.reg
   • 70411.**********com/un.reg
   • 72170.**********com/un.reg
   • 75858.**********com/un.reg
   • 78401.**********com/un.reg
   • 82935.**********com/un.reg
   • 83859.**********com/un.reg
   • 84483.**********com/un.reg
   • 88198.**********com/un.reg
   • 90926.**********com/un.reg
   • 95304.**********com/un.reg
   • 99956.**********com/un.reg
   • bzeva.**********org/un.reg
   • jzcva.**********org/un.reg
   • updates.**********org/un.reg
   • zcava.**********org/un.reg
It is saved on the local hard drive under: C:\temp\un.reg At the time of writing this file was not online for further investigation.

 Process termination List of processes that are terminated:
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\zlclient.exe
   • McDetect.exe
   • McTskshd.exe
   • mcupdmgr.exe
   • SpySweeper.exe


List of services that are disabled:
   • Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
   • McAfee Personal Firewall Service
   • mcshield
   • Norton AntiVirus Auto Protect Service
   • norton antivirus firewall monitor service
   • Security Center
   • Sygate Personal Firewall
   • Webroot Spy Sweeper Engine
   • Windows Firewall/Internet Connection Sharing (ICS)

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Irina Boldea on Tuesday, September 27, 2005
Description updated by Irina Boldea on Friday, September 30, 2005

Back . . . .