Win32/KillFiles [Threat Name] go to Threat

Win32/KillFiles.NCI [Threat Variant Name]

Category trojan
Size 110592 B
Detection created Jul 16, 2009
Detection database version 4251
Aliases Trojan-Dropper.Win32.Agent.avog (Kaspersky)
  Generic.Dropper!gu (McAfee)
  Trojan.Mbot (Dr.Web)
Short description

Win32/KillFiles.NCI is a trojan which deletes files with specific file extensions. The trojan tries to download and execute several files from the Internet.

Installation

When executed, the trojan creates the following files:

  • %system%\­netlmgr.dll (86016 B)

The file is then executed.

Payload information

The trojan searches local drives for files with the following file extensions:

  • .doc
  • .hwp
  • .ppt
  • .xls

The trojan compresses each found file into a password protected archive.


The password is randomly generated.


The file name and extension of the newly created file is derived from the original one.


An additional ".gz" extension is appended.


The trojan then deletes found files.

Information stealing

The trojan searches local drives for files with the following file extensions:

  • .lnk
  • .url

Only folders which contain one of the following string in their path are searched:

  • Documents and Settings
  • FOUND.0
  • I386
  • MSOCache
  • Program Files
  • System Volume Information
  • Users
  • WINDOWS
  • WINNT

The collected information is stored in the following file:

  • %temp%\­~DBF%variable%.tmp

A string with variable content is used instead of %variable% .


The trojan can send the information to a remote machine.

Other information

The trojan contains a list of URLs.


It tries to download several files from the addresses. The HTTP protocol is used.


These are stored in the following locations:

  • %temp\­~ZSB%variable%.tmp

A string with variable content is used instead of %variable% .


The trojan creates copies of the following files (source, destination):

  • %temp\­~ZSB%variable%.tmp, msiexec%number%.exe

A string with variable content is used instead of %number% .


The files are then executed.


The trojan creates the following files:

  • ~SDSTY.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.