Win32/KillFiles [Threat Name] go to Threat
Win32/KillFiles.NCH [Threat Variant Name]
| Category | trojan |
| Size | 40960 B |
| Aliases | Trojan-Dropper.Win32.Agent.avpk (Kaspersky) |
| Trojan.Horse (Symantec) | |
| Trojan:Win32/Killfiles.AM (Microsoft) |
Short description
Win32/KillFiles.NCH is a trojan which deletes files with specific file extensions. The trojan overwrites the MBR (Master Boot Record) of all drives with its own data.
Installation
When executed, the trojan creates the following files:
- %system%\wversion.exe (36864 B)
The file is then executed.
Payload information
The trojan overwrites the MBR (Master Boot Record) of all drives with its own data.
The written data contains the following string:
- Memory of the Independence Day
The trojan searches local drives for files with the following file extensions:
- .accdb
- .alz
- .asp
- .aspx
- .c
- .cpp
- .db
- .dbf
- .doc
- .docm
- .docx
- .eml
- .gho
- .gul
- .hna
- .hwp
- .java
- .jsp
- .kwp
- .mdb
- .pas
- .php
- .ppt
- .pptx
- .pst
- .rar
- .rtf
- .txt
- .wpd
- .wpx
- .wri
- .xls
- .xlsx
- .xml
- .zip
The trojan compresses each found file into a password protected archive.
The password is randomly generated.
The file name and extension of the newly created file is derived from the original one.
An additional ".gz" extension is appended.
The trojan then deletes found files.
Other information
The trojan modifies the following file:
- %windir%\win.ini
The trojan writes the following entries to the file:
- [MSSOFT]
- LastName=%variable1%
- FirstName=%variable2%
- Location=%variable3%
A string with variable content is used instead of %variable1-3% .