Win32/KillAV [Threat Name] go to Threat

Win32/KillAV.NHD [Threat Variant Name]

Category trojan
Size 38400 B
Detection created Dec 16, 2009
Detection database version 4694
Aliases Trojan.Win32.Vilsel.pfw (Kaspersky)
  Generic.Downloader.x!cbd (McAfee)
  TrojanDownloader:Win32/Ufraie.A (Microsoft)
Short description

Win32/KillAV.NHD is a trojan that repeatedly tries to connect to various web pages. The trojan can download and execute a file from the Internet.

Installation

The trojan does not create any copies of itself.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft]
    • "kr_done1" = %variable1%

A string with variable content is used instead of %variable1% .

Other information

The following services are disabled:

  • Windows Security Center Service (wscsvc)
  • Windows Firewall/Internet Connection Sharing (ICS)

The trojan connects to the following servers to obtain the current date and time:

  • pool.ntp.org
  • 0.pool.ntp.org
  • 1.pool.ntp.org
  • 2.pool.ntp.org
  • microsoft.com
  • linux.org
  • yahoo.com
  • google.com

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


The trojan may attempt to download files from the Internet.


These are stored in the following locations:

  • %temp%\­%variable2%

A string with variable content is used instead of %variable2% .


The files are then executed.


The trojan creates the following files:

  • %system%\­kr_done1
  • %temp%\­uninst%variable3%.bat

A string with variable content is used instead of %variable3% .


The trojan modifies the following file:

  • %windir%\­wininit.ini

The trojan writes the following entries to the file:

  • [Rename]
    • NUL=%filepath%

The trojan opens TCP port 10100 .


The following information is collected:

  • operating system version
  • antivirus software detected on the affected machine
  • malware version
  • network adapter information
  • Internet Explorer version

The trojan can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.