Full description

Nume:	TR/KillAV.AV.1
Descoperit pe data de:	28/03/2006
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	34.064 Bytes
MD5:	e021b7cbe9eb78a8c82836c0e5a4f363
Versiune VDF:	6.34.00.105

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Bitdefender: Trojan.KillAV.AV

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\%combinatie de caractere aleatoare%.exe
   • %SYSDIR%\%caractere dublu-byte%.pif

Se copiaza intr-o arhiva in urmatoarea locatie:
   • %SYSDIR%\%caractere dublu-byte%.zip

Sunt create fisierele:

– %SYSDIR%\%combinatie de caractere aleatoare%.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/KillAV.HF

– %SYSDIR%\%combinatie de caractere aleatoare%.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/KillAV.HE

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%]
   • Type = dword:00000010
   • Start = dword:00000002
   • ErrorControl = dword:00000001
   • ImagePath = %SYSDIR%\%combinatie de caractere aleatoare%.exe -service
   • DisplayName = %combinatie de caractere aleatoare%
   • ObjectName = LocalSystem
   • Description = %caractere dublu-byte%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%\Security]
   • Security = %valori hex%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%\Enum]
   • 0 = Root\\LEGACY_%combinatie de caractere aleatoare%\\0000
   • Count = dword:00000001
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%combinatie de caractere aleatoare%]
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%combinatie de caractere aleatoare%\0000]
   • Service = %combinatie de caractere aleatoare%
   • Legacy = dword:00000001
   • ConfigFlags = dword:00000000
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = %combinatie de caractere aleatoare%

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%combinatie de caractere aleatoare%\0000\Control]
   • *NewlyCreated* = dword:00000000
   • ActiveService = %combinatie de caractere aleatoare%

Valorile urmatoarelor chei sunt sterse din registrii sistemului:

– [HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • DcomLaunch Servers
   • MSCTS
   • CONINE
   • VMST
   • MOUST
   • KVMonXP
   • KvXP

– [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   • KVMonXP
   • KvXP

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • BootExecute

Se sterg urmatoarele chei din registri, inclusiv toate valorile si cheile subordnate:
   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows NT]
   Noua valoare:
   • ReportBootOk = dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Noua valoare:
   • ReportBootOk = 0

– [HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
   Noua valoare:
   • DoReport = dword:00000000
   • ShowUI = dword:00000000

Terminarea proceselor Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • NOD32; Mcshield; qqkav; agentsvr; frogagent; kvxp; kvsrvxp; kregex;
      trojdie; kvcenter; kvmon; uihost; vsmon; vptray; rtvscan; Navap;
      Norton; Symantec; webscanx; vsstat; vshwin32; alogserv; avsynmgr;
      avconsol; Iparmor; KWatch; KPfwSvc; KMailMon; KavPFW; KAVStart;
      KAVSvc; KULANSyn; KPopMon; KWatchUI; KAVPlus; rfwsrv; RAVMON; rfwmain;
      RAVTIMER; RAV.exe; RavStub; Ravmond; CCENTER

Lista cu serviciile dezactivate:
   • KVSrvXP_1
   • KVSrvXP
   • RsCCenter
   • SharedAccess

Backdoor Deschide portul

– explorer.exe port TCP aleator

Servere contactate:
Urmatoarele:
   • http://imkill.98link.com:88/**********
   • http://imkill.98link.com:89/**********

Astfel se pot transmite informatii si se poate obtine control la distanta. Raspunsul serverului este scris in fisierul: %SYSDIR%\update.web; %SYSDIR%\kgstfd.t

Trimte informatii despre:
    • Statusul actual al malware-ului

Posibilitati de control la distanta:
    • descarcare fisier
    • executarea unui fisier
    • Vizitarea unui website

Injectarea codului malware in alte procese – Injecteaza fisierul urmator intr-un proces: %SYSDIR%\%combinatie de caractere aleatoare%.dll

    Urmatoarele procese:
   • winlogon.exe
   • explorer.exe

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Andrei Gherman on Tuesday, March 28, 2006
Description updated by Andrei Gherman on Thursday, March 30, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools