Full description

Virus:	TR/KillAV.HI.2
Date discovered:	25/04/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	74.240 Bytes
MD5 checksum:	0E54d1548c0F7d1afc2778d5f6dc8f5f
VDF version:	6.34.01.04

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan.Win32.KillAV.hi
   • TrendMicro: TROJ_BRIZ.G
   • VirusBuster: trojan Trojan.KillAV.DT
   • Bitdefender: Backdoor.Agent.HB

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Registry modification

Files It deletes the following file:
• C:\Program Files\McAfee.com\Agent\mctskshd.exe

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Windows Logon Process" = "%WINDIR%\winlogon.exe"
• "Microsoft Windows Session Manager Subsystem" = "%WINDIR%\smss.exe"

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • 10.0.0.5 avp.com; 10.0.0.5 kaspersky.com; 10.0.0.5 kaspersky-labs.com;
      10.0.0.5 updates1.kaspersky.com; 10.0.0.5 updates2.kaspersky.com;
      10.0.0.5 updates3.kaspersky.com; 10.0.0.5 updates-us1.kaspersky.com;
      10.0.0.5 downloads1.kaspersky.com; 10.0.0.5
      downloads-us1.kaspersky.com; 10.0.0.5 www.avp.com; 10.0.0.5
      www.kaspersky.com; 10.0.0.5 d-ru-1f.kaspersky-labs.com; 10.0.0.5
      d-ru-1h.kaspersky-labs.com; 10.0.0.5 d-ru-2f.kaspersky-labs.com;
      10.0.0.5 d-ru-2h.kaspersky-labs.com; 10.0.0.5
      d-eu-2f.kaspersky-labs.com; 10.0.0.5 d-eu-2h.kaspersky-labs.com;
      10.0.0.5 d-eu-1f.kaspersky-labs.com; 10.0.0.5
      d-eu-1h.kaspersky-labs.com; 10.0.0.5 d-us-1f.kaspersky-labs.com;
      10.0.0.5 d-us-1h.kaspersky-labs.com; 10.0.0.5 downloads1.kaspersky.ru;
      10.0.0.5 downloads2.kaspersky.ru; 10.0.0.5 downloads3.kaspersky.ru;
      10.0.0.5 downloads4.kaspersky.ru; 10.0.0.5 downloads5.kaspersky.ru;
      10.0.0.5 eset.com; 10.0.0.5 www.eset.com; 10.0.0.5 u2.eset.com;
      10.0.0.5 u3.eset.com; 10.0.0.5 u4.eset.com; 10.0.0.5 u7.eset.com;
      10.0.0.5 82.165.250.33; 10.0.0.5 82.165.237.14; 10.0.0.5
      www.nod32.com; 10.0.0.5 nod32.com; 10.0.0.5 eset.casablanca.cz;
      10.0.0.5 casablanca.cz; 10.0.0.5 customer.symantec.com; 10.0.0.5
      liveupdate.symantec.com; 10.0.0.5 liveupdate.symantecliveupdate.com;
      10.0.0.5 securityresponse.symantec.com; 10.0.0.5 symantec.com;
      10.0.0.5 update.symantec.com; 10.0.0.5 updates.symantec.com; 10.0.0.5
      www.symantec.com; 10.0.0.5 www.norton.com; 10.0.0.5 norton.com;
      10.0.0.5 mast.mcafee.com; 10.0.0.5 mcafee.com; 10.0.0.5
      rads.mcafee.com; 10.0.0.5 www.mcafee.com; 10.0.0.5 mcafee.com;
      10.0.0.5 us.mcafee.com; 10.0.0.5 dispatch.mcafee.com; 10.0.0.5
      download.mcafee.com; 10.0.0.5 metalhead2005.info; 10.0.0.5
      my-etrust.com; 10.0.0.5 nai.com; 10.0.0.5 networkassociates.com;
      10.0.0.5 secure.nai.com; 10.0.0.5 sophos.com; 10.0.0.5 trendmicro.com;
      10.0.0.5 viruslist.com; 10.0.0.5 viruslist.com; 10.0.0.5 www.ca.com;
      10.0.0.5 www.f-secure.com; 10.0.0.5 www.microsoft.com; 10.0.0.5
      www.my-etrust.com; 10.0.0.5 www.nai.com; 10.0.0.5
      www.networkassociates.com; 10.0.0.5 www.sophos.com; 10.0.0.5
      www.trendmicro.com; 10.0.0.5 www.viruslist.com; 10.0.0.5 ca.com;
      10.0.0.5 d66.myleftnut.info; 10.0.0.5 f-secure.com

The modified host file will look like this:

Process termination The following process is terminated:
• mctskshd.exe

The following service is disabled:
• McAfee Task Scheduler

Miscellaneous Checks for an internet connection by contacting the following web site:
   • www.microsoft.com

String:
Furthermore it contains the following strings:
   • - ORiEN executable files protection system -
   • ------ Created by A. Fisun, 1994-2003 ------
   • ------- WWW: http://zale**********/ -------
   • -------- e-mail: zale********** ---------
   • --------------------------------------------
   • Well, you got this text, but this will be all you get :)

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Thursday, May 11, 2006
Description updated by Andrei Gherman on Friday, May 12, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools