Home / malware Trojan.KillAV.PT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.KillAV.PT is also known as Trojan.Win32.AntiAV.ayz, Trojan:Win32/Killav.BX.
Explanation :
The main executable contains three encrypted components. It's role is to drop and execute the following files:
- a Dynamic Link Library called killdll.dll into %windir%System32, which will be deleted after 15 seconds
- an executable into %windir% with the name [random value]_xeex.exe after the killdll.dll has finished its job
- a driver called pcidump.sys into %windir%system32drivers, which will be loaded into memory and deleted afterwards
After replication in %windir%system32scvhost.exe it will delete itself and quit.
1. The decrypted dll (killdll.dll) is the Antivirus-killer part. It gets loaded first and contains two encrypted drivers.
1.1. The first is used to disable the following services belonging to antivirus vendors:
avp.exe
DrUpdate.exe
QQDoctorRtp.exe
KWatch.exe
Uplive.exe
udaterui.exe
McTray.exe
SHSTAT.exe
ccSvcHst.exe
xcommsvr.exe
vsserv.exe
livesrv.exe
bdagent.exe
mcinsupd.exe
mcshell.exe
FrameworkService.exe
vstskmgr.exe
mcagent.exe
mcnasvc.exe
mcmscsvc.exe
mcsysmon.exe
mfevtps.exe
mcupdmgr.exe
vptray.exe
ccapp.exe
rtvscan.exe
defwatch.exe
ccEvtMgr.exe
ccSetMgr.exe
KVSrvXP.exe
KPFW32.exe
engineserver.exe
KavStart.exe
kmailmon.exe
KPfwSvc.exe
KISSvc.exe
MPSVC3.exe
MPSVC.exe
MpfSrv.exe
naPrdMgr.exe
rsnetsvr.exe
mcshield.exe
McProxy.exe
QQDoctor.exe
Rav.exe
ScanFrm.exe
RsTray.exe
RavStub.exe
CCenter.exe
RavTask.exe
RavMonD.exe
RavMon.exe
egui.exe
mfeann.exe
RsAgent.exe
ekrn.exe
antiarp.exe
360tray.exe
360Safebox.exe
safeboxTray.exe
To achieve this the program will replace the file AsyncMac.sys file (Microsoft Remote Access Serial Network Driver) found in %windir%system32drivers, a non-critical Microsoft Windows component with the aforementioned driver. After loading it into memory, the driver will terminate the services listed above. After this AsyncMac.sys will be unloaded and deleted.
Besides terminating these processes, the dynamic link library will also disable the system start feature of these services, so they will not be loaded at system startup.
1.2. The second driver is used to deactivate a commonly used proactive detection technique, by undoing modifications made in kernel memory by antivirus software. To drop the driver, it will replace the file aec.sys (Microsoft Acoustic Echo Canceller), a non-critical Microsoft Windows component, load the driver into memory and after it has finished it will unload the driver and delete the file.
2. The decrypted executable ([random value]_xeex.exe) is the downloader part:
Upon execution the process will verify what the name of the image file is. If it's userinit.exe, then it will follow the normal behaviour of userinit.exe (that is launching explorer.exe) so that the victim doesn't notice the changes. After this it will continue with it's normal execution :
It will send the MAC address, the operating system version and the current version of the file (specified probably by its creation date) to a website located at:
http://[removed]518js.com/30330/count.asp?mac=[mac address]&ver=[file version]&os=[os version].
It will download a list of about 30 files from http://[removed]518js.com/30330/newfz.txt. These files will be downloaded and executed. If the current version of the malware file is outdated the list will contain a newer version of the file too, the rest of the files belong to the OnlineGames family of password stealers.
The links inside the list are in form of:
http://[removed].d7n9.com/la/[removed].exe
http://[removed].d7n9.com/lm/[removed].exe
http://[removed].d7n9.com/cj/[removed].exe
It will register the parent executable image to start with system startup using the windows registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, with the following key name: RsTray.
3. The decrypted driver is the overwriter part:
Using low level functions it will overwrite userinit.exe (a core windows component), with the downloader part. Userinit.exe is loaded automatically at every system startup, so the downloader will be loaded at every system startup. Under normal circumstances, userinit.exe quits after launching explorer.exe, but in this case it will remain resident in memory. Besides this, the driver has process and file hiding properties, but these aren't used by the malware.Last update 21 November 2011