English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Watch us on

Home→Descriptions→Trojan.Win32.KillAV.ks

Trojan.Win32.KillAV.ks

Detected	Oct 07 2007 07:42 GMT
Released	Oct 07 2007 07:42 GMT
Published	Oct 26 2010 07:32 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan has a malicious payload. It is a BAT file. It is 2507 bytes in size.

Payload

When launching, the Trojan performs the following actions:

It force quits the following processes:

nod32kui.exe
nod32krn.exe
avpcc.exe
avpm.exe
DRWEB32.EXE
nmain.exe
bdmcon.exe
bdnagent.exe
bdoesrv.exe
bdss.exe
DrWebScd.exe
mcagent.exe
mcshell.exe
mcvsshld.exe
mcuimgr.exe
mcupdui.exe

From the system registry autorun key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

It deletes the following records:

KAVPersonal50
kav
McLogLch_exe
nod32kui
DrWebScheduler
SpIDerMail
SpIDerNT
ccApp
osCheck
Outpost Firewall
OutpostFeedBack
Zone Labs Client
SmcService
BDMCon
BDOESRV
BDNewsAgent
avast!
APVXDWIN
AVG7_CC
AVGCtrl

It deletes the following registry keys:

[HKLM\System\CurrentControlSet\Services\kavsvc]
[HKLM\System\CurrentControlSet\Services\AVP]
[HKLM\System\CurrentControlSet\Services\McLogManagerService]
[HKLM\System\CurrentControlSet\Services\mcmispupdmgr]
[HKLM\System\CurrentControlSet\Services\McNASvc]
[HKLM\System\CurrentControlSet\Services\McODS]
[HKLM\System\CurrentControlSet\Services\mcpromgr]
[HKLM\System\CurrentControlSet\Services\McRedirector]
[HKLM\System\CurrentControlSet\Services\McShield]
[HKLM\System\CurrentControlSet\Services\McSysmon]
[HKLM\System\CurrentControlSet\Services\mctskshd.exe]
[HKLM\System\CurrentControlSet\Services\mcusrmgr]
[HKLM\System\CurrentControlSet\Services\MpfService]
[HKLM\System\CurrentControlSet\Services\mfeavfk]
[HKLM\System\CurrentControlSet\Services\mfebopk]
[HKLM\System\CurrentControlSet\Services\mfesmfk]
[HKLM\System\CurrentControlSet\Services\MPFP]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\NOD32 Context Menu Shell Extension]
[HKLM\System\CurrentControlSet\Services\NOD32krn]
[HKLM\System\CurrentControlSet\Services\spidernt]
[HKLM\System\CurrentControlSet\Services\ccEvtMgr]
[HKLM\System\CurrentControlSet\Services\ccSetMgr]
[HKLM\System\CurrentControlSet\Services\navapsvc]
[HKLM\System\CurrentControlSet\Services\CLTNetCnService]
[HKLM\System\CurrentControlSet\Services\SymAppCore]
[HKLM\System\CurrentControlSet\Services\NPFMntor]
[HKLM\System\CurrentControlSet\Services\SNDSrvc]
[HKLM\System\CurrentControlSet\Services\SPBBCSvc]
[HKLM\System\CurrentControlSet\Services\OutpostFirewall]
[HKLM\System\CurrentControlSet\Services\vsmon]
[HKLM\System\CurrentControlSet\Services\SmcService]
[HKLM\System\CurrentControlSet\Services\bdss]
[HKLM\System\CurrentControlSet\Services\VSSERV]
[HKLM\System\CurrentControlSet\Services\XCOMM]
[HKLM\System\CurrentControlSet\Services\aswUpdSv]
[HKLM\System\CurrentControlSet\Services\avast! Antivirus]
[HKLM\System\CurrentControlSet\Services\PAVFIRES]
[HKLM\System\CurrentControlSet\Services\PAVFNSVR]
[HKLM\System\CurrentControlSet\Services\PavProt]
[HKLM\System\CurrentControlSet\Services\PavPrSrv]
[HKLM\System\CurrentControlSet\Services\PAVSRV]
[HKLM\System\CurrentControlSet\Services\PREVSRV]
[HKLM\System\CurrentControlSet\Services\PSIMSVC]
[HKLM\System\CurrentControlSet\Services\cpoint]
[HKLM\System\CurrentControlSet\Services\netflt]
[HKLM\System\CurrentControlSet\Services\PavProc]
[HKLM\System\CurrentControlSet\Services\Avg7Alrt]
[HKLM\System\CurrentControlSet\Services\Avg7UpdSvc]
[HKLM\SYSTEM\CurrentControlSet\Services\AntiVirService]
[HKLM\SYSTEM\CurrentControlSet\Services\avgntdw]

It then forces the user's computer to reboot.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Print

Share

Malicious programs

Trojans

Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.

Other versions

Trojan.Win32.KillAV.an

Trojan.Win32.KillAV.be

Trojan.Win32.KillAV.bf

Trojan.Win32.KillAV.bk

Trojan.Win32.KillAV.bl

Trojan.Win32.KillAV.br

Trojan.Win32.KillAV.bx

Trojan.Win32.KillAV.gcg

Trojan.Win32.KillAV.gj

Trojan.Win32.KillAV.hl

Trojan.Win32.KillAV.id

Trojan.Win32.KillAV.k

Trojan.Win32.KillAV.r

Trojan.Win32.KillAV.s

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com