Win32/KillAV [Threat Name] go to Threat

Win32/KillAV.NMZ [Threat Variant Name]

Category trojan
Size 177664 B
Detection created Aug 03, 2011
Detection database version 6347
Aliases Trojan.Win32.KillAV.lgf (Kaspersky)
  Trojan:Win32/KillAV.FP (Microsoft)
Short description

Win32/KillAV.NMZ is a trojan that interferes with the operation of some security applications. The file is run-time compressed using UPX .


The trojan does not create any copies of itself.

Payload information

The trojan creates copies of the following files (source, destination):

  • C:\­Arquivos de programas\­AVG\­AVG10\­%filename%.exe, C:\­Arquivos de programas\­AVG\­AVG10\­%filename%.exe1
  • C:\­Program Files (x86)\­AVG\­AVG10\­%filename%.exe, C:\­Program Files (x86)\­AVG\­AVG10\­%filename%.exe1
  • C:\­Program Files\­AVG\­AVG10\­%filename%.exe, C:\­Program Files\­AVG\­AVG10\­%filename%.exe1

The %filename% is one of the following strings:

  • avgam
  • avgfws
  • avgnsa
  • avgnsx
  • avgrsa
  • avgrsx
  • avgfws
  • avgnsx
  • avgrsx
  • avgemca
  • avgemcx
  • avgcmgr
  • avgcfgex
  • avgchsva
  • avgchsvx
  • avgcrema
  • avgcremx
  • avgstrmx
  • avgsystx
  • avgchsvx
  • avgcsrva
  • avgcsrvx
  • avgdiagex
  • avgdumpa
  • avgdumpx
  • avgscana
  • avgscanx
  • avglscanx
  • avgmfapx
  • avgntdumpa
  • avgntdumpx
  • avgsrmaa
  • avgsrmax
  • avgtray
  • avgwdsvc
  • avgwsc
  • fixcfg
  • SearchProvider
  • AVGToolbarInstall

The trojan then deletes source files.

Other information

The trojan executes the following commands:

  • cmd /k cacls "C:\­Arquivos de programas\­Alwil Software" /E /T /R Usußrios
  • cmd /k cacls "C:\­Arquivos de programas\­Alwil Software" /E /T /R Administradores
  • cmd /k cacls "C:\­Arquivos de programas\­Alwil Software" /E /T /R SYSTEM
  • cmd /k cacls "C:\­Arquivos de programas\­AVAST Software" /E /T /R Usußrios
  • cmd /k cacls "C:\­Arquivos de programas\­AVAST Software" /E /T /R Administradores
  • cmd /k cacls "C:\­Arquivos de programas\­AVAST Software" /E /T /R SYSTEM
  • cmd /k cacls "C:\­Program Files\­Alwil Software" /E /R SISTEMA
  • cmd /k cacls "C:\­Program Files\­Alwil Software" /E /R Usußrios
  • cmd /k cacls "C:\­Program Files\­Alwil Software" /E /R Administradores
  • cmd /k cacls "C:\­Program Files (x86)\­Alwil Software" /E /R SISTEMA
  • cmd /k cacls "C:\­Program Files (x86)\­Alwil Software" /E /R Usußrios
  • cmd /k cacls "C:\­Program Files (x86)\­Alwil Software" /E /R Administradores
  • cmd /k cacls "C:\­Program Files\­AVAST Software" /E /R SISTEMA
  • cmd /k cacls "C:\­Program Files\­AVAST Software" /E /R Usußrios
  • cmd /k cacls "C:\­Program Files\­AVAST Software" /E /R Administradores

Please enable Javascript to ensure correct displaying of this content and refresh this page.