|Detected||Apr 01 2010 09:38 GMT|
|Released||Apr 01 2010 17:43 GMT|
|Published||Sep 20 2011 13:25 GMT|
A trojan program that carries out destructive actions on the user's computer. It is a Windows dynamic-link library (PE-DLL file). 9728 bytes. Written in C++.
The malicious library exports the "testall" function which leads to the following actions being carried out.
If the system launches the "avp.exe" process, the trojan tries to download the following modules from the address space for this process:
kavbase.kdl webav.kdl vlns.kdl mark.kdl klavemu.kdl kjim.kdlThe trojan then cancels the automatic launch of the "avp" service, running the command:
sc config avp start= disabledThen, using the "taskkill.exe" utility, the "avp.exe" process is completed:
taskkill.exe /f /t /im avp.exeThe trojan then runs a search of the system and carries out the following processes:
avp.exe safeboxTray.exe 360Safebox.exe 360tray.exe antiarp.exe ekrn.exe RsAgent.exe mfeann.exe egui.exe RavMon.exe RavMonD.exe RavTask.exe CCenter.exe RavStub.exe RsTray.exe ScanFrm.exe Rav.exe AgentSvr.exe CCenter.exe QQDoctor.exe McProxy.exe mcshield.exe rsnetsvr.exe naPrdMgr.exe MpfSrv.exe MPSVC.exe MPSVC1.exe KISSvc.exe KPfwSvc.exe kmailmon.exe KavStart.exe engineserver.exe KPFW32.exe KVSrvXP.exe ccSetMgr.exe ccEvtMgr.exe defwatch.exe rtvscan.exe ccapp.exe vptray.exe mcupdmgr.exe mfevtps.exe mcsysmon.exe mcmscsvc.exe mcnasvc.exe mcagent.exe vstskmgr.exe FrameworkService.exe mcshell.exe mcinsupd.exe bdagent.exe livesrv.exe vsserv.exe xcommsvr.exe ccSvcHst.exe SHSTAT.exe McTray.exe udaterui.exe KAVStart.exe Uplive.exe KWatch.exe QQDoctorRtp.exe DrUpdate.exe rfwsrv.exe RegGuide.exe MPSVC2.exe MPMon.exe LiveUpdate360.exe rssafety.exe KABackReport.exe KSWebShield.exe 360delays.exe qutmserv.exe kaccore.exe 360SoftMgrSvc.exe 360realpro.exe DSMain.exe 360sd.exe 360rp.exe ZhuDongFangYu.exe 360safe.exeIf it finds the following processes:
360rp.exe ravmond.exethe trojan stops and deletes the service:
360rp rsravmonIf it finds the process "ekrn.exe", it deletes the "ekrn" service by running the command:
cmd /c sc delete ekrnIf it finds the "avp.exe" process, it runs the command:
cmd /c sc config avp start= disabled taskkill.exe /im avp.exe /fIt therefore cancels the automatic launch of the "avp" service and completes the process "avp.exe". The trojan then shuts down.
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.