English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.KillAV.ks

Detected Oct 07 2007 07:42 GMT
Released Oct 07 2007 07:42 GMT
Published Oct 26 2010 07:32 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan has a malicious payload. It is a BAT file. It is 2507 bytes in size.


Payload

When launching, the Trojan performs the following actions:

  • It force quits the following processes:
    nod32kui.exe
    nod32krn.exe
    avpcc.exe
    avpm.exe
    DRWEB32.EXE
    nmain.exe
    bdmcon.exe
    bdnagent.exe
    bdoesrv.exe
    bdss.exe
    DrWebScd.exe
    mcagent.exe
    mcshell.exe
    mcvsshld.exe
    mcuimgr.exe
    mcupdui.exe
    
  • From the system registry autorun key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    
    It deletes the following records:
    KAVPersonal50
    kav
    McLogLch_exe
    nod32kui
    DrWebScheduler
    SpIDerMail
    SpIDerNT
    ccApp
    osCheck
    Outpost Firewall
    OutpostFeedBack
    Zone Labs Client
    SmcService
    BDMCon
    BDOESRV
    BDNewsAgent
    avast!
    APVXDWIN
    AVG7_CC
    AVGCtrl
    
  • It deletes the following registry keys:
    [HKLM\System\CurrentControlSet\Services\kavsvc]
    [HKLM\System\CurrentControlSet\Services\AVP]
    [HKLM\System\CurrentControlSet\Services\McLogManagerService]
    [HKLM\System\CurrentControlSet\Services\mcmispupdmgr]
    [HKLM\System\CurrentControlSet\Services\McNASvc]
    [HKLM\System\CurrentControlSet\Services\McODS]
    [HKLM\System\CurrentControlSet\Services\mcpromgr]
    [HKLM\System\CurrentControlSet\Services\McRedirector]
    [HKLM\System\CurrentControlSet\Services\McShield]
    [HKLM\System\CurrentControlSet\Services\McSysmon]
    [HKLM\System\CurrentControlSet\Services\mctskshd.exe]
    [HKLM\System\CurrentControlSet\Services\mcusrmgr]
    [HKLM\System\CurrentControlSet\Services\MpfService]
    [HKLM\System\CurrentControlSet\Services\mfeavfk]
    [HKLM\System\CurrentControlSet\Services\mfebopk]
    [HKLM\System\CurrentControlSet\Services\mfesmfk]
    [HKLM\System\CurrentControlSet\Services\MPFP]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\NOD32 Context Menu Shell Extension]
    [HKLM\System\CurrentControlSet\Services\NOD32krn]
    [HKLM\System\CurrentControlSet\Services\spidernt]
    [HKLM\System\CurrentControlSet\Services\ccEvtMgr]
    [HKLM\System\CurrentControlSet\Services\ccSetMgr]
    [HKLM\System\CurrentControlSet\Services\navapsvc]
    [HKLM\System\CurrentControlSet\Services\CLTNetCnService]
    [HKLM\System\CurrentControlSet\Services\SymAppCore]
    [HKLM\System\CurrentControlSet\Services\NPFMntor]
    [HKLM\System\CurrentControlSet\Services\SNDSrvc]
    [HKLM\System\CurrentControlSet\Services\SPBBCSvc]
    [HKLM\System\CurrentControlSet\Services\OutpostFirewall]
    [HKLM\System\CurrentControlSet\Services\vsmon]
    [HKLM\System\CurrentControlSet\Services\SmcService]
    [HKLM\System\CurrentControlSet\Services\bdss]
    [HKLM\System\CurrentControlSet\Services\VSSERV]
    [HKLM\System\CurrentControlSet\Services\XCOMM]
    [HKLM\System\CurrentControlSet\Services\aswUpdSv]
    [HKLM\System\CurrentControlSet\Services\avast! Antivirus]
    [HKLM\System\CurrentControlSet\Services\PAVFIRES]
    [HKLM\System\CurrentControlSet\Services\PAVFNSVR]
    [HKLM\System\CurrentControlSet\Services\PavProt]
    [HKLM\System\CurrentControlSet\Services\PavPrSrv]
    [HKLM\System\CurrentControlSet\Services\PAVSRV]
    [HKLM\System\CurrentControlSet\Services\PREVSRV]
    [HKLM\System\CurrentControlSet\Services\PSIMSVC]
    [HKLM\System\CurrentControlSet\Services\cpoint]
    [HKLM\System\CurrentControlSet\Services\netflt]
    [HKLM\System\CurrentControlSet\Services\PavProc]
    [HKLM\System\CurrentControlSet\Services\Avg7Alrt]
    [HKLM\System\CurrentControlSet\Services\Avg7UpdSvc]
    [HKLM\SYSTEM\CurrentControlSet\Services\AntiVirService]
    [HKLM\SYSTEM\CurrentControlSet\Services\avgntdw]
    
  • It then forces the user's computer to reboot.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions