English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.KillAV.be

Detected Nov 05 2003 23:51 GMT
Released Nov 05 2003 23:51 GMT
Published Dec 26 2006 06:49 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan is designed to disable antivirus programs and terminate a range of processes on the victim machine. It is a Windows PE EXE file. The file is 5,632 bytes in size.

Installation

This Trojan will be installed to the victim machine by another malicious program.


Payload

The Trojan terminates the following processes:

outpost.exe
VetTray.exe
AutoDown.exe
Rescue.exe
WRCTRL.EXE
WRADMIN.EXE
ICSUPPNT.EXE
ZONEALARM.EXE
 IOMON98.EXE
GUARD.EXE
DOORS.EXE
PCCIOMON.EXE
AvkServ.exe
AckWin32.exe
notstart.exe
AVSYNMGR.EXE
WebScanX.exe
Mcshield.exe
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
ALOGSERV.EXE
SPHINX.EXE
LOCKDOWN2000.EXE
cleaner3.exe
cleaner.exe
tca.exe
MOOLIVE.EXE
WrCtrl.exe
WrAdmin.exe
WrCtrl.exe
ZATUTOR.EXE
MINILOG.EXE
VSMON.EXE
blackice.exe
blackd.exe
FRW.EXE
iamapp.exe
iamserv.exe
Anti-Trojan.exe
ANTS.EXE
IFACE.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
ZAUINST.EXE
NAVAPW32.EXE
FAST.EXE
GUARD.EXE
AUTOUPDATE.EXE
TC.EXE
NSCHED32.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
SS3EDIT.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
WGFE95.EXE
POPROXY.EXE
NPROTECT.EXE
VSSTAT.EXE
VSHWIN32.EXE
NDD32.EXE
MCAGENT.EXE
MCUPDATE.EXE
WATCHDOG.EXE
TAUMON.EXE
IAMAPP.EXE
IAMSERV.EXE
TFAK.EXE
SPYXX.EXE
ATCON.EXE
FRW.EXE
Smc.exe
NeoWatchTray.exe
NeoWatchLog.exe
NTXconfig.exe
NWService.exe
AutoTrace.exe
cpd.exe
AVXMONITOR9X.EXE
ISRV95.EXE
REALMON95.EXE
NAVAPW32.EXE
RTVSCN95.EXE
DEFWATCH.EXE
VPTRAY.EXE
TFAK.EXE
WEBTRAP.EXE
LUCOMSERVER.EXE
TRJSCAN.EXE
POP3TRAP.EXE
ALERTSVC.EXE
SS3EDIT.EXE
JEDI.EXE
MONITOR.EXE
MCAGENT.EXE
MCUPDATE.EXE
IFACE.EXE
NISUM.EXE
NISSERV
ACKWIN32.EXE
AVKSERV.EXE
NMAIN.EXE
F-PROT95.EXE
F-AGNT95.EXE
SPYXX.EXE
PERSFW.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYNMGR.EXE
NavLu32.exe
Navw32.exe
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
NORMIST.EXE
NVC95.EXE
Claw95cf.exe
Claw95.exe
Nupgrade.exe
AVGCC32.EXE
AVGCTRL.EXE
AVGSERV.EXE
ICSUPP95.EXE
ICLOADNT.EXE

The Trojan will also terminate and delete a service called "anem".


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.KillAV.be (Kaspersky Lab) is also known as:

  • Trojan: ProcKill-AS (McAfee)
  • Troj/ProcKil-AS (Sophos)
  • Trojan.AVKill.5632 (ClamAV)
  • Trj/Killav.I (Panda)
  • W32/Malware!151a (FPROT)
  • Trojan:Win32/Killav.BE (MS(OneCare))
  • Trojan.AVKill.5632 (DrWeb)
  • Win32/KillAV.BE trojan (Nod32)
  • Generic.Malware.P!Pk!g.98B3B260 (BitDef7)
  • Trojan.KillAV.AHA (VirusBuster)
  • Win32:Trojan-gen {Other} (AVAST)
  • Trojan.Win32.Snatch.147 (Ikarus)
  • Killav.F (AVG)
  • TR/KillAV.BE (AVIRA)
  • Trojan.KillAV (NAV)
  • W32/Killav.B (Norman)
  • ProcKill-AS (NAI)
  • Trojan.KillAV.be (Rising)
  • TROJ_PROCKILL.A (TrendMicro)