Win32/KillAV [Threat Name] go to Threat

Win32/KillAV.NTD [Threat Variant Name]

Category trojan
Size 77824 B
Aliases Trojan.Win32.Yakes.uuxg (Kaspersky)
  W32.Koobface (Symantec)
  Trojan.PWS.Banker1.23928 (Dr.Web)
  Trojan:Win32/Tiggre!rfn (Microsoft)
Short description

Win32/KillAV.NTD is a trojan which tries to download other malware from the Internet.


The trojan does not create any copies of itself.

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a URL address.

It tries to download a file from the address.

The file is stored in the following location:

  • %appdata%\­%variable%.exe

The file is then executed. The HTTP protocol is used in the communication.

A string with variable content is used instead of %variable% .

Trojan is able to bypass User Account Control (UAC).

The following services are disabled:

  • WinDefend

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows Defender\­Exclusions\­Extension]
    • "exe" = "exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows Defender\­Exclusions]
    • "Exclusions_Extensions" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows Defender\­Real-time Protection]
    • "DisableRealtimeMonitoring" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows Defender]
    • "DisableAntiSpyware" = 1

Please enable Javascript to ensure correct displaying of this content and refresh this page.