Trojan.Win32.KillAV.gcg

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows dynamic-link library (PE-DLL file). 9728 bytes. Written in C++.

Payload

The malicious library exports the "testall" function which leads to the following actions being carried out.

If the system launches the "avp.exe" process, the trojan tries to download the following modules from the address space for this process:

kavbase.kdl
webav.kdl
vlns.kdl
mark.kdl
klavemu.kdl
kjim.kdl

The trojan then cancels the automatic launch of the "avp" service, running the command:

sc config avp start= disabled

Then, using the "taskkill.exe" utility, the "avp.exe" process is completed:

taskkill.exe /f /t /im avp.exe

The trojan then runs a search of the system and carries out the following processes:

avp.exe
safeboxTray.exe
360Safebox.exe
360tray.exe
antiarp.exe
ekrn.exe
RsAgent.exe
mfeann.exe
egui.exe
RavMon.exe
RavMonD.exe
RavTask.exe
CCenter.exe
RavStub.exe
RsTray.exe
ScanFrm.exe
Rav.exe
AgentSvr.exe
CCenter.exe
QQDoctor.exe
McProxy.exe
mcshield.exe
rsnetsvr.exe
naPrdMgr.exe
MpfSrv.exe
MPSVC.exe
MPSVC1.exe
KISSvc.exe
KPfwSvc.exe
kmailmon.exe
KavStart.exe
engineserver.exe
KPFW32.exe
KVSrvXP.exe
ccSetMgr.exe
ccEvtMgr.exe
defwatch.exe
rtvscan.exe
ccapp.exe
vptray.exe
mcupdmgr.exe
mfevtps.exe
mcsysmon.exe
mcmscsvc.exe
mcnasvc.exe
mcagent.exe
vstskmgr.exe
FrameworkService.exe
mcshell.exe
mcinsupd.exe
bdagent.exe
livesrv.exe
vsserv.exe
xcommsvr.exe
ccSvcHst.exe
SHSTAT.exe
McTray.exe
udaterui.exe
KAVStart.exe
Uplive.exe
KWatch.exe
QQDoctorRtp.exe
DrUpdate.exe
rfwsrv.exe
RegGuide.exe
MPSVC2.exe
MPMon.exe
LiveUpdate360.exe
rssafety.exe
KABackReport.exe
KSWebShield.exe
360delays.exe
qutmserv.exe
kaccore.exe
360SoftMgrSvc.exe
360realpro.exe
DSMain.exe
360sd.exe
360rp.exe
ZhuDongFangYu.exe
360safe.exe

If it finds the following processes:

360rp.exe
ravmond.exe

the trojan stops and deletes the service:

360rp
rsravmon 

If it finds the process "ekrn.exe", it deletes the "ekrn" service by running the command:

cmd /c sc delete ekrn

If it finds the "avp.exe" process, it runs the command:

cmd /c sc config avp start= disabled
taskkill.exe /im avp.exe /f

It therefore cancels the automatic launch of the "avp" service and completes the process "avp.exe". The trojan then shuts down.

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
2. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: EF9425F0CBCBCD95B3400B46CB7B70E3
SHA1: F5EBAE2C4112DBA1106995D7679ECC71E3CA6985