Full description

Virus:	TR/KillAV.AV.1
Date discovered:	28/03/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	34.064 Bytes
MD5 checksum:	e021b7cbe9eb78a8c82836c0e5a4f363
VDF version:	6.34.00.105

General Method of propagation:
   • No own spreading routine

Alias:
   • Bitdefender: Trojan.KillAV.AV

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

Files It copies itself to the following locations:
   • %SYSDIR%\%random character string%.exe
   • %SYSDIR%\%double-byte-characters%.pif

It copies itself within an archive to the following location:
   • %SYSDIR%\%double-byte-characters%.zip

The following files are created:

– %SYSDIR%\%random character string%.exe Further investigation pointed out that this file is malware, too. Detected as: TR/KillAV.HF

– %SYSDIR%\%random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/KillAV.HE

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%]
   • Type = dword:00000010
   • Start = dword:00000002
   • ErrorControl = dword:00000001
   • ImagePath = %SYSDIR%\%random character string%.exe -service
   • DisplayName = %random character string%
   • ObjectName = LocalSystem
   • Description = %double-byte-characters%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Enum]
   • 0 = Root\\LEGACY_%random character string%\\0000
   • Count = dword:00000001
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%random character string%]
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%random character string%\0000]
   • Service = %random character string%
   • Legacy = dword:00000001
   • ConfigFlags = dword:00000000
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = %random character string%

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%random character string%\0000\Control]
   • *NewlyCreated* = dword:00000000
   • ActiveService = %random character string%

The values of the following registry keys are removed:

– [HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • DcomLaunch Servers
   • MSCTS
   • CONINE
   • VMST
   • MOUST
   • KVMonXP
   • KvXP

– [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   • KVMonXP
   • KvXP

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • BootExecute

The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT]
   New value:
   • ReportBootOk = dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • ReportBootOk = 0

– [HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
   New value:
   • DoReport = dword:00000000
   • ShowUI = dword:00000000

Process termination Processes with one of the following strings are terminated:
   • NOD32; Mcshield; qqkav; agentsvr; frogagent; kvxp; kvsrvxp; kregex;
      trojdie; kvcenter; kvmon; uihost; vsmon; vptray; rtvscan; Navap;
      Norton; Symantec; webscanx; vsstat; vshwin32; alogserv; avsynmgr;
      avconsol; Iparmor; KWatch; KPfwSvc; KMailMon; KavPFW; KAVStart;
      KAVSvc; KULANSyn; KPopMon; KWatchUI; KAVPlus; rfwsrv; RAVMON; rfwmain;
      RAVTIMER; RAV.exe; RavStub; Ravmond; CCENTER

List of services that are disabled:
   • KVSrvXP_1
   • KVSrvXP
   • RsCCenter
   • SharedAccess

Backdoor The following port is opened:

– explorer.exe on a random TCP port

Contact server:
All of the following:
   • http://imkill.98link.com:88/**********
   • http://imkill.98link.com:89/**********

As a result it may send information and remote control could be provided. The servers answer is written to the file: %SYSDIR%\update.web; %SYSDIR%\kgstfd.t

Sends information about:
    • Current malware status

Remote control capabilities:
    • Download file
    • Execute file
    • Visit a website

Injection – It injects the following file into a process: %SYSDIR%\%random character string%.dll

    All of the following processes:
   • winlogon.exe
   • explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, March 28, 2006
Description updated by Andrei Gherman on Thursday, March 30, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools