Win32/KillAV [Threat Name] go to Threat

Win32/KillAV.NBO [Threat Variant Name]

Category trojan
Size 15360 B
Aliases Trojan-Downloader.Win32.Tibs.kwr (Kaspersky)
  Generic.dx.trojan (McAfee)
  Trojan.Horse (Symantec)
Short description

Win32/KillAV.NBO is a trojan that repeatedly tries to connect to various web pages. The trojan can download and execute a file from the Internet.

Installation

The trojan does not create any copies of itself.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft]
    • "kr_done1" = %variable%

A string with variable content is used instead of %variable% .

Other information

The trojan contains a list of (1) URLs.


It tries to download a file from the address. The HTTP protocol is used.


The file is stored into the following folder:

  • C:\­

The following filename is used:

  • %variable%.exe

A string with variable content is used instead of %variable% .


The file is then executed.


The trojan creates the following files:

  • %system%\­kr_done1
  • %temp%\­uninst%variable%.bat

A string with variable content is used instead of %variable% .


The trojan modifies the following file:

  • %windir%\­wininit.ini

The trojan writes the following entries to the file:

  • [Rename]
    • NUL=%filepath%

The trojan opens TCP port 10100 .


The following information is collected:

  • operating system version
  • antivirus software detected on the affected machine
  • malware version
  • Internet Explorer version

The trojan can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.