Win32/KillFiles [Threat Name] go to Threat

Win32/KillFiles.NCH [Threat Variant Name]

Category trojan
Size 40960 B
Detection created Jul 15, 2009
Detection database version 4246
Aliases Trojan-Dropper.Win32.Agent.avpk (Kaspersky)
  Trojan.Horse (Symantec)
  Trojan:Win32/Killfiles.AM (Microsoft)
Short description

Win32/KillFiles.NCH is a trojan which deletes files with specific file extensions. The trojan overwrites the MBR (Master Boot Record) of all drives with its own data.

Installation

When executed, the trojan creates the following files:

  • %system%\­wversion.exe (36864 B)

The file is then executed.

Payload information

The trojan overwrites the MBR (Master Boot Record) of all drives with its own data.


The written data contains the following string:

  • Memory of the Independence Day

The trojan searches local drives for files with the following file extensions:

  • .accdb
  • .alz
  • .asp
  • .aspx
  • .c
  • .cpp
  • .db
  • .dbf
  • .doc
  • .docm
  • .docx
  • .eml
  • .gho
  • .gul
  • .hna
  • .hwp
  • .java
  • .jsp
  • .kwp
  • .mdb
  • .pas
  • .pdf
  • .php
  • .ppt
  • .pptx
  • .pst
  • .rar
  • .rtf
  • .txt
  • .wpd
  • .wpx
  • .wri
  • .xls
  • .xlsx
  • .xml
  • .zip

The trojan compresses each found file into a password protected archive.


The password is randomly generated.


The file name and extension of the newly created file is derived from the original one.


An additional ".gz" extension is appended.


The trojan then deletes found files.

Other information

The trojan modifies the following file:

  • %windir%\­win.ini

The trojan writes the following entries to the file:

  • [MSSOFT]
    • LastName=%variable1%
    • FirstName=%variable2%
    • Location=%variable3%

A string with variable content is used instead of %variable1-3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.