English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.KillAV.gcg

Detected Apr 01 2010 09:38 GMT
Released Apr 01 2010 17:43 GMT
Published Sep 20 2011 13:25 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows dynamic-link library (PE-DLL file). 9728 bytes. Written in C++.


Payload

The malicious library exports the "testall" function which leads to the following actions being carried out.

If the system launches the "avp.exe" process, the trojan tries to download the following modules from the address space for this process:

kavbase.kdl
webav.kdl
vlns.kdl
mark.kdl
klavemu.kdl
kjim.kdl
The trojan then cancels the automatic launch of the "avp" service, running the command:
sc config avp start= disabled
Then, using the "taskkill.exe" utility, the "avp.exe" process is completed:
taskkill.exe /f /t /im avp.exe
The trojan then runs a search of the system and carries out the following processes:
avp.exe
safeboxTray.exe
360Safebox.exe
360tray.exe
antiarp.exe
ekrn.exe
RsAgent.exe
mfeann.exe
egui.exe
RavMon.exe
RavMonD.exe
RavTask.exe
CCenter.exe
RavStub.exe
RsTray.exe
ScanFrm.exe
Rav.exe
AgentSvr.exe
CCenter.exe
QQDoctor.exe
McProxy.exe
mcshield.exe
rsnetsvr.exe
naPrdMgr.exe
MpfSrv.exe
MPSVC.exe
MPSVC1.exe
KISSvc.exe
KPfwSvc.exe
kmailmon.exe
KavStart.exe
engineserver.exe
KPFW32.exe
KVSrvXP.exe
ccSetMgr.exe
ccEvtMgr.exe
defwatch.exe
rtvscan.exe
ccapp.exe
vptray.exe
mcupdmgr.exe
mfevtps.exe
mcsysmon.exe
mcmscsvc.exe
mcnasvc.exe
mcagent.exe
vstskmgr.exe
FrameworkService.exe
mcshell.exe
mcinsupd.exe
bdagent.exe
livesrv.exe
vsserv.exe
xcommsvr.exe
ccSvcHst.exe
SHSTAT.exe
McTray.exe
udaterui.exe
KAVStart.exe
Uplive.exe
KWatch.exe
QQDoctorRtp.exe
DrUpdate.exe
rfwsrv.exe
RegGuide.exe
MPSVC2.exe
MPMon.exe
LiveUpdate360.exe
rssafety.exe
KABackReport.exe
KSWebShield.exe
360delays.exe
qutmserv.exe
kaccore.exe
360SoftMgrSvc.exe
360realpro.exe
DSMain.exe
360sd.exe
360rp.exe
ZhuDongFangYu.exe
360safe.exe
If it finds the following processes:
360rp.exe
ravmond.exe
the trojan stops and deletes the service:
360rp
rsravmon 
If it finds the process "ekrn.exe", it deletes the "ekrn" service by running the command:
cmd /c sc delete ekrn
If it finds the "avp.exe" process, it runs the command:
cmd /c sc config avp start= disabled
taskkill.exe /im avp.exe /f
It therefore cancels the automatic launch of the "avp" service and completes the process "avp.exe". The trojan then shuts down.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: EF9425F0CBCBCD95B3400B46CB7B70E3
SHA1: F5EBAE2C4112DBA1106995D7679ECC71E3CA6985


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.KillAV.gcg (Kaspersky Lab) is also known as:

  • Trojan: Generic.dx!tai (McAfee)
  • Trj/Lineage.LJU (Panda)
  • W32/Trojan4.FGJ (FPROT)
  • Trojan:Win32/Killav.EY (MS(OneCare))
  • Trojan.Onedev (DrWeb)
  • Trojan.Generic.3583221 (BitDef7)
  • Trojan.KillAV!bmwCfmVQXbU (VirusBuster)
  • Win32:Malware-gen (AVAST)
  • Trojan.Win32.KillAV (Ikarus)
  • Generic17.AOMV (AVG)
  • TR/Killav.gox (AVIRA)
  • Trojan Horse (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Win32.Generic.11ED7570 (Rising)
  • TROJ_KILLAV.SMEC (TrendMicro)
  • Trojan.Win32.KillAV (Sunbelt)
  • Trojan.KillAV!bmwCfmVQXbU (VirusBusterBeta)