Trojan.Win32.KillAV.ks

Technical Details

This Trojan has a malicious payload. It is a BAT file. It is 2507 bytes in size.

Payload

When launching, the Trojan performs the following actions:

• It force quits the following processes:

  nod32kui.exe
  nod32krn.exe
  avpcc.exe
  avpm.exe
  DRWEB32.EXE
  nmain.exe
  bdmcon.exe
  bdnagent.exe
  bdoesrv.exe
  bdss.exe
  DrWebScd.exe
  mcagent.exe
  mcshell.exe
  mcvsshld.exe
  mcuimgr.exe
  mcupdui.exe
  

• From the system registry autorun key:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  

  It deletes the following records:

  KAVPersonal50
  kav
  McLogLch_exe
  nod32kui
  DrWebScheduler
  SpIDerMail
  SpIDerNT
  ccApp
  osCheck
  Outpost Firewall
  OutpostFeedBack
  Zone Labs Client
  SmcService
  BDMCon
  BDOESRV
  BDNewsAgent
  avast!
  APVXDWIN
  AVG7_CC
  AVGCtrl
  

• It deletes the following registry keys:

  [HKLM\System\CurrentControlSet\Services\kavsvc]
  [HKLM\System\CurrentControlSet\Services\AVP]
  [HKLM\System\CurrentControlSet\Services\McLogManagerService]
  [HKLM\System\CurrentControlSet\Services\mcmispupdmgr]
  [HKLM\System\CurrentControlSet\Services\McNASvc]
  [HKLM\System\CurrentControlSet\Services\McODS]
  [HKLM\System\CurrentControlSet\Services\mcpromgr]
  [HKLM\System\CurrentControlSet\Services\McRedirector]
  [HKLM\System\CurrentControlSet\Services\McShield]
  [HKLM\System\CurrentControlSet\Services\McSysmon]
  [HKLM\System\CurrentControlSet\Services\mctskshd.exe]
  [HKLM\System\CurrentControlSet\Services\mcusrmgr]
  [HKLM\System\CurrentControlSet\Services\MpfService]
  [HKLM\System\CurrentControlSet\Services\mfeavfk]
  [HKLM\System\CurrentControlSet\Services\mfebopk]
  [HKLM\System\CurrentControlSet\Services\mfesmfk]
  [HKLM\System\CurrentControlSet\Services\MPFP]
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\NOD32 Context Menu Shell Extension]
  [HKLM\System\CurrentControlSet\Services\NOD32krn]
  [HKLM\System\CurrentControlSet\Services\spidernt]
  [HKLM\System\CurrentControlSet\Services\ccEvtMgr]
  [HKLM\System\CurrentControlSet\Services\ccSetMgr]
  [HKLM\System\CurrentControlSet\Services\navapsvc]
  [HKLM\System\CurrentControlSet\Services\CLTNetCnService]
  [HKLM\System\CurrentControlSet\Services\SymAppCore]
  [HKLM\System\CurrentControlSet\Services\NPFMntor]
  [HKLM\System\CurrentControlSet\Services\SNDSrvc]
  [HKLM\System\CurrentControlSet\Services\SPBBCSvc]
  [HKLM\System\CurrentControlSet\Services\OutpostFirewall]
  [HKLM\System\CurrentControlSet\Services\vsmon]
  [HKLM\System\CurrentControlSet\Services\SmcService]
  [HKLM\System\CurrentControlSet\Services\bdss]
  [HKLM\System\CurrentControlSet\Services\VSSERV]
  [HKLM\System\CurrentControlSet\Services\XCOMM]
  [HKLM\System\CurrentControlSet\Services\aswUpdSv]
  [HKLM\System\CurrentControlSet\Services\avast! Antivirus]
  [HKLM\System\CurrentControlSet\Services\PAVFIRES]
  [HKLM\System\CurrentControlSet\Services\PAVFNSVR]
  [HKLM\System\CurrentControlSet\Services\PavProt]
  [HKLM\System\CurrentControlSet\Services\PavPrSrv]
  [HKLM\System\CurrentControlSet\Services\PAVSRV]
  [HKLM\System\CurrentControlSet\Services\PREVSRV]
  [HKLM\System\CurrentControlSet\Services\PSIMSVC]
  [HKLM\System\CurrentControlSet\Services\cpoint]
  [HKLM\System\CurrentControlSet\Services\netflt]
  [HKLM\System\CurrentControlSet\Services\PavProc]
  [HKLM\System\CurrentControlSet\Services\Avg7Alrt]
  [HKLM\System\CurrentControlSet\Services\Avg7UpdSvc]
  [HKLM\SYSTEM\CurrentControlSet\Services\AntiVirService]
  [HKLM\SYSTEM\CurrentControlSet\Services\avgntdw]
  

• It then forces the user's computer to reboot.