Win32/KillFiles [Threat Name] go to Threat

Win32/KillFiles.NCL [Threat Variant Name]

Category trojan
Size 49152 B
Detection created Sep 13, 2009
Detection database version 4421
Aliases Downloader.MisleadApp (Symantec)
  BKDR_DSBOT.EH (TrendMicro)
  Downloader.VB.LPN (AVG)
Short description

Win32/KillFiles.NCL is a trojan that deletes files in specific folders.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%executablefilename%" = "%malwarepath%"
Payload information

The trojan attempts to delete the following files:

  • %programfiles%\­*.*
  • %programfiles%\­Scpad\­*.*
  • %programfiles%\­Scpad\­resultadoa
  • %programfiles%\­Scpad\­resultadob
  • %programfiles%\­Scpad\­resultadoc
  • %programfiles%\­Scpad\­resultadod
  • %programfiles%\­Scpad\­resultadoe
  • %programfiles%\­GbPlugin\­GbpSv.exe
  • %allusersprofile%\­Dados de aplicativos\­Scpad\­*.*
  • %windir%\­Downloaded Program Files\­CONFLICT.1\­*.*
  • %windir%\­Downloaded Program Files\­*.*
  • %windir%\­Downloaded Program Files\­resultadof
  • %windir%\­Downloaded Program Files\­resultadog
  • %windir%\­system32\­resultadoh
  • %windir%\­system32\­resultadoi
  • %windir%\­system32\­scplib.dll
  • %windir%\­system32\­scpmib.dll
  • %windir%\­system32\­sshib.dll
  • %windir%\­system32\­Logof.dll
Other information

The trojan may create the following files:

  • %malwarefolder%\­Gbp.log

The trojan may delete the following files:

  • %malwarefolder%\­Gbp.log

The following programs are terminated:

  • GbpSv.exe
  • iexplore.exe
  • explorer.exe
  • winlogon.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.