SecurityHome.eu Win32.Worm.Killav.PDO

Home / malware PDF

Win32.Worm.Killav.PDO

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Worm.Killav.PDO is also known as Trojan-Downloader.Win32.Geral.
Explanation :
Win32.Worm.KillAV.PDO reduces the security level of the computer: it terminates the processes belonging to security tools like antivirus programs and firewalls, leaving the computer defenseless against other malware attacks. It will also delete the executables corresponding to security programs and ensures that they won't be able to run even after a reinstallation.

Win32.Worm.KillAV.PDO is a DLL and will perform its malicious actions only if it's loaded into explorer.exe or 360safe.exe.

Upon initialization it will create a driver in %WinDir%sysmtempcii.sys and registers it as a service. The driver will create a device called \.WCCCI, which will be used for communication between the dll and the dropped driver.

The dll part of the malware will search for running antivirus processes and will send their path and process ID to the device created by the driver. If a process ID is received, the driver will try to unmap sections from ntdll.dll, which will cause antivirus programs to crash when trying to call functions from it. If a path to the executable of an antivirus is received, the executable will be deleted.

The following processes will be affected:
360rpt.exe, 360SafeBox.exe, 360Safe.exe,
360sd.exe, 360tray.exe, arpfw.exe,
AutoRun.exe, AvMonitor.exe, Frameworkservice.exe,
GuardField.exe, HijackThis.exe, IceSword.exe,
kav32.exe, kavstart.exe, KRegEx.exe,
krnl360svc.exe, KvSrvXp.exe, kvwsc.exe,
kwatch.exe, mmsk.exe, Navapsvc.exe,
Nod32kui.exe, RavMond.exe, Ravservice.exe,
RavTask.exe, Ravtray.exe, Regedit.exe,
rfwProxy.exe, rfwsrv.exe, RsAgent.exe
RsMain.exe, safeboxTray.exe, ScanFrm.exe
SuperKiller.exe, TrojDie.kxp,
TrojanDetector.exe, Trojanwall.exe etc.

To ensure that security applications won't run even after a reinstallation it will search for security applications in the SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options registry key and will add a Debugger key with the value "ntsd -d" to each key corresponding to security applications. Since a normal user doesn't have a kernel mode debugger on his computer, those applications won't run.

At certain intervals it will check if the currently active window's class is equal to AfxControlBar42s and will send a WM_CLOSE message to that window.

This trojan is also a downloader. On a separate thread, it will download a file from http://[removed]kd.com/s.txt into %WinDir%Fontssysin.ini. This file contains the following encrypted urls:
http://acd.bee.[removed]/d/e.exe
http://acd.bee.[removed]/d/1.exe
http://acd.bee.[removed]/d/3.exe
From these urls it will download three files and will execute them. The files will be downloaded in the %TEMP% directory and their name will begin with "abb" followed by a random number. At the time of writing this, these urls were offline.
Last update 21 November 2011

TOP

Malware :

Last 20