Win32/KillAV [Threat Name] go to Threat

Win32/KillAV.NTB [Threat Variant Name]

Category trojan
Size 155648 B
Detection created Sep 30, 2017
Detection database version 16167
Aliases Trojan.Win32.Kasidet.dbg (Kaspersky)
  Trojan.Fakealert.58009 (Dr.Web)
Short description

The trojan disables various security related applications. The trojan serves as a proxy server. It can be controlled remotely.

Installation

The trojan may create copies of itself using the following filenames:

  • %appdata%\­%variable1%\­%variable2%.exe

A string with variable content is used instead of %variable1-2% .


The trojan may create and run a new thread with its own program code within any running process.


The trojan quits immediately if the executable filename is one of the following:

  • C:\­file.exe
  • C:\­myapp.exe
  • C:\­sample.exe
  • C:\­self.exe
  • C:\­t.exe
Other information

The trojan serves as a proxy server.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The trojan generates various URL addresses. The TCP, HTTP protocol is used in the communication.


It can execute the following operations:

  • set up a proxy server
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan may create the following files:

  • %temp%\­%variable3%.exe

A string with variable content is used instead of %variable3% .


The following services are disabled:

  • wuauserv
  • WinDefend

The trojan may execute the following commands:

  • cmd.exe /C sc stop wuauserv
  • cmd.exe /C sc config wuauserv start= disabled
  • cmd.exe /C Reg add "HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows Defender]
    • "DisableAntiSpyware" = 1

Please enable Javascript to ensure correct displaying of this content and refresh this page.