Full description

Virus:	TR/KillAV.HI.2
Date discovered:	25/04/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	74.240 Bytes
MD5 checksum:	0E54d1548c0F7d1afc2778d5f6dc8f5f
VDF version:	6.34.01.04

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan.Win32.KillAV.hi
   • TrendMicro: TROJ_BRIZ.G
   • VirusBuster: trojan Trojan.KillAV.DT
   • Bitdefender: Backdoor.Agent.HB

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Registry modification

Files It deletes the following file:
• C:\Program Files\McAfee.com\Agent\mctskshd.exe

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Windows Logon Process" = "%WINDIR%\winlogon.exe"
• "Microsoft Windows Session Manager Subsystem" = "%WINDIR%\smss.exe"

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • 10.0.0.5 avp.com; 10.0.0.5 kaspersky.com; 10.0.0.5 kaspersky-labs.com;
      10.0.0.5 updates1.kaspersky.com; 10.0.0.5 updates2.kaspersky.com;
      10.0.0.5 updates3.kaspersky.com; 10.0.0.5 updates-us1.kaspersky.com;
      10.0.0.5 downloads1.kaspersky.com; 10.0.0.5
      downloads-us1.kaspersky.com; 10.0.0.5 www.avp.com; 10.0.0.5
      www.kaspersky.com; 10.0.0.5 d-ru-1f.kaspersky-labs.com; 10.0.0.5
      d-ru-1h.kaspersky-labs.com; 10.0.0.5 d-ru-2f.kaspersky-labs.com;
      10.0.0.5 d-ru-2h.kaspersky-labs.com; 10.0.0.5
      d-eu-2f.kaspersky-labs.com; 10.0.0.5 d-eu-2h.kaspersky-labs.com;
      10.0.0.5 d-eu-1f.kaspersky-labs.com; 10.0.0.5
      d-eu-1h.kaspersky-labs.com; 10.0.0.5 d-us-1f.kaspersky-labs.com;
      10.0.0.5 d-us-1h.kaspersky-labs.com; 10.0.0.5 downloads1.kaspersky.ru;
      10.0.0.5 downloads2.kaspersky.ru; 10.0.0.5 downloads3.kaspersky.ru;
      10.0.0.5 downloads4.kaspersky.ru; 10.0.0.5 downloads5.kaspersky.ru;
      10.0.0.5 eset.com; 10.0.0.5 www.eset.com; 10.0.0.5 u2.eset.com;
      10.0.0.5 u3.eset.com; 10.0.0.5 u4.eset.com; 10.0.0.5 u7.eset.com;
      10.0.0.5 82.165.250.33; 10.0.0.5 82.165.237.14; 10.0.0.5
      www.nod32.com; 10.0.0.5 nod32.com; 10.0.0.5 eset.casablanca.cz;
      10.0.0.5 casablanca.cz; 10.0.0.5 customer.symantec.com; 10.0.0.5
      liveupdate.symantec.com; 10.0.0.5 liveupdate.symantecliveupdate.com;
      10.0.0.5 securityresponse.symantec.com; 10.0.0.5 symantec.com;
      10.0.0.5 update.symantec.com; 10.0.0.5 updates.symantec.com; 10.0.0.5
      www.symantec.com; 10.0.0.5 www.norton.com; 10.0.0.5 norton.com;
      10.0.0.5 mast.mcafee.com; 10.0.0.5 mcafee.com; 10.0.0.5
      rads.mcafee.com; 10.0.0.5 www.mcafee.com; 10.0.0.5 mcafee.com;
      10.0.0.5 us.mcafee.com; 10.0.0.5 dispatch.mcafee.com; 10.0.0.5
      download.mcafee.com; 10.0.0.5 metalhead2005.info; 10.0.0.5
      my-etrust.com; 10.0.0.5 nai.com; 10.0.0.5 networkassociates.com;
      10.0.0.5 secure.nai.com; 10.0.0.5 sophos.com; 10.0.0.5 trendmicro.com;
      10.0.0.5 viruslist.com; 10.0.0.5 viruslist.com; 10.0.0.5 www.ca.com;
      10.0.0.5 www.f-secure.com; 10.0.0.5 www.microsoft.com; 10.0.0.5
      www.my-etrust.com; 10.0.0.5 www.nai.com; 10.0.0.5
      www.networkassociates.com; 10.0.0.5 www.sophos.com; 10.0.0.5
      www.trendmicro.com; 10.0.0.5 www.viruslist.com; 10.0.0.5 ca.com;
      10.0.0.5 d66.myleftnut.info; 10.0.0.5 f-secure.com

The modified host file will look like this:

Process termination The following process is terminated:
• mctskshd.exe

The following service is disabled:
• McAfee Task Scheduler

Miscellaneous Checks for an internet connection by contacting the following web site:
   • www.microsoft.com

String:
Furthermore it contains the following strings:
   • - ORiEN executable files protection system -
   • ------ Created by A. Fisun, 1994-2003 ------
   • ------- WWW: http://zale**********/ -------
   • -------- e-mail: zale********** ---------
   • --------------------------------------------
   • Well, you got this text, but this will be all you get :)

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Thursday, May 11, 2006
Description updated by Andrei Gherman on Friday, May 12, 2006

Back . . . .