Virus:TR/KillAV.AV.1
Date discovered:28/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:34.064 Bytes
MD5 checksum:e021b7cbe9eb78a8c82836c0e5a4f363
VDF version:6.34.00.105

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Bitdefender: Trojan.KillAV.AV


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\%random character string%.exe
   • %SYSDIR%\%double-byte-characters%.pif



It copies itself within an archive to the following location:
   • %SYSDIR%\%double-byte-characters%.zip



The following files are created:

%SYSDIR%\%random character string%.exe Further investigation pointed out that this file is malware, too. Detected as: TR/KillAV.HF

%SYSDIR%\%random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/KillAV.HE

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%]
   • Type = dword:00000010
   • Start = dword:00000002
   • ErrorControl = dword:00000001
   • ImagePath = %SYSDIR%\%random character string%.exe -service
   • DisplayName = %random character string%
   • ObjectName = LocalSystem
   • Description = %double-byte-characters%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Enum]
   • 0 = Root\\LEGACY_%random character string%\\0000
   • Count = dword:00000001
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%random character string%]
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%random character string%\0000]
   • Service = %random character string%
   • Legacy = dword:00000001
   • ConfigFlags = dword:00000000
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = %random character string%

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%random character string%\0000\Control]
   • *NewlyCreated* = dword:00000000
   • ActiveService = %random character string%



The values of the following registry keys are removed:

–  [HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • DcomLaunch Servers
   • MSCTS
   • CONINE
   • VMST
   • MOUST
   • KVMonXP
   • KvXP

–  [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   • KVMonXP
   • KvXP

–  [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • BootExecute



The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT]
   New value:
   • ReportBootOk = dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • ReportBootOk = 0

– [HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
   New value:
   • DoReport = dword:00000000
   • ShowUI = dword:00000000

 Process termination Processes with one of the following strings are terminated:
   • NOD32; Mcshield; qqkav; agentsvr; frogagent; kvxp; kvsrvxp; kregex;
      trojdie; kvcenter; kvmon; uihost; vsmon; vptray; rtvscan; Navap;
      Norton; Symantec; webscanx; vsstat; vshwin32; alogserv; avsynmgr;
      avconsol; Iparmor; KWatch; KPfwSvc; KMailMon; KavPFW; KAVStart;
      KAVSvc; KULANSyn; KPopMon; KWatchUI; KAVPlus; rfwsrv; RAVMON; rfwmain;
      RAVTIMER; RAV.exe; RavStub; Ravmond; CCENTER


List of services that are disabled:
   • KVSrvXP_1
   • KVSrvXP
   • RsCCenter
   • SharedAccess

 Backdoor The following port is opened:

– explorer.exe on a random TCP port


Contact server:
All of the following:
   • http://imkill.98link.com:88/**********
   • http://imkill.98link.com:89/**********

As a result it may send information and remote control could be provided. The servers answer is written to the file: %SYSDIR%\update.web; %SYSDIR%\kgstfd.t


Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file
    • Execute file
    • Visit a website

 Injection –  It injects the following file into a process: %SYSDIR%\%random character string%.dll

    All of the following processes:
   • winlogon.exe
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, March 28, 2006
Description updated by Andrei Gherman on Thursday, March 30, 2006

Back . . . .