Home / malware Trojan:W32/KillWin.AR
First posted on 20 April 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan:W32/KillWin.AR.
Explanation :
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Additional DetailsTrojan:W32/KillWin.AR is a trojan that disables certain features of the Operating System and copies itself to the startup folder. KillWin.AR outputs a message.
Execution
Once KillWin.AR has been executed, it will delete the first four boot entries on the system.
Here is an example of the boot entries:
KillWinn.AR also deletes the following system file:
€ %sysdir\Hal.dll
This file is required in order to succesfully boot the operating system.
After which, it will drop the executed copy of itself in the startup folder.
To execute its payload, the trojan creates a batch file, which is created in the following path:
€ %temp%\bt[4 random numbers].bat
The file attribute is set to hidden.
Payload
As part of its payload it will show the following file message:
As a finale to its malicious act, it will shutdown the computer and sets its shutdown timeout to 1 second:
Last update 20 April 2010