Win32/KillAV [Threat Name] go to Threat

Win32/KillAV.NHD [Threat Variant Name]

Category trojan
Size 38400 B
Aliases Trojan.Win32.Vilsel.pfw (Kaspersky)
  Generic.Downloader.x!cbd (McAfee)
  TrojanDownloader:Win32/Ufraie.A (Microsoft)
Short description

Win32/KillAV.NHD is a trojan that repeatedly tries to connect to various web pages. The trojan can download and execute a file from the Internet.


The trojan does not create any copies of itself.

The following Registry entries are created:

    • "kr_done1" = %variable1%

A string with variable content is used instead of %variable1% .

Other information

The following services are disabled:

  • Windows Security Center Service (wscsvc)
  • Windows Firewall/Internet Connection Sharing (ICS)

The trojan connects to the following servers to obtain the current date and time:


The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

The trojan may attempt to download files from the Internet.

These are stored in the following locations:

  • %temp%\­%variable2%

A string with variable content is used instead of %variable2% .

The files are then executed.

The trojan creates the following files:

  • %system%\­kr_done1
  • %temp%\­uninst%variable3%.bat

A string with variable content is used instead of %variable3% .

The trojan modifies the following file:

  • %windir%\­wininit.ini

The trojan writes the following entries to the file:

  • [Rename]
    • NUL=%filepath%

The trojan opens TCP port 10100 .

The following information is collected:

  • operating system version
  • antivirus software detected on the affected machine
  • malware version
  • network adapter information
  • Internet Explorer version

The trojan can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.