sobota 25. února 2012

Trojan:WinNT/KillAV.E


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Jan 17, 2011

Aliases
  • Win-Trojan/Rootkit.6280.H (AhnLab)
  • Rootkit.Win32.Agent.bipu (Kaspersky)
  • Rootkit.Agent2!cpMP978OkXs (VirusBuster)
  • Rkit/Agent.bipu (Avira)
  • Trojan.KillProc.KP (BitDefender)
  • Trojan.NtRootKit.9781 (Dr.Web)
  • Win32/KillAV.NKC (ESET)
  • Rootkit.Win32.Agent (Ikarus)
  • RootKit.Win32.Undef.cuo (Rising AV)
  • Mal/Efic-A (Sophos)
  • Hacktool.Rootkit (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.359.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.95.1515.0
Released: Dec 10, 2010


 

Summary

Trojan:WinNT/KillAV.E is a kernel mode rootkit, which is used to terminate processes related to antivirus and security software. It may also perform other functions, such as deleting files, overwriting registry entry data, and others.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • Your antivirus program may not be working properly.


 

Technical Information (Analysis)

Trojan:WinNT/KillAV.E is a kernel mode rootkit, which is used to terminate processes related to antivirus and security software. It may also perform other functions, such as deleting files, overwriting registry entry data, and others.
Installation
Trojan:WinNT/KillAV.E is typically dropped by other malware, such as PWS:Win32/OnLineGames.
Payload
Performs certain actions
Trojan:WinNT/KillAV.E is a rootkit provides functionality used by other malware. It is capable of performing the following functions:
 
  • Restore System Service Dispatch Table (SSDT) hooks
  • Terminate processes related to antivirus and security software
  • Delete files
  • Overwrite data for registry entries related to antivirus and security software
 
Analysis by Zhitao Zhou

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.