Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/KillAV.NBN

Aliases:Trojan.Win32.Antavka.mu (Kaspersky), Trojan:Win32/Tropid!rts (Microsoft) 
Type of infiltration:Trojan  
Size:14948 B 
Affected platforms:Microsoft Windows 
Signature database version:4359 (20090822) 

Short description

The trojan terminates various security related applications. The file is run-time compressed using UPX.

Installation

When executed, the trojan copies itself into the following location:
  • %windir%%filename%
A string with variable content is used instead of %filename%.

The following file is dropped into the %windir%system32 folder:
  • dll.exe (4096 B)
Installs the following system drivers (path, name):
  • %windir%system32dll.exe, dedede

Other information

The following programs are terminated:
  • 360tray.exe
  • avp.exe
  • ccenter.exe
  • egui.exe
  • ekrn.exe
  • ravtask.exe
  • 360tray.exe
  • avp.exe
  • ccenter.exe
  • egui.exe
  • ekrn.exe
  • ravtask.exe
  • rawmond.exe
  • rstray.exe
  • safeboxtray.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options%variable%]
    "debugger" = "Svchost.exe"
The %variable% is one of the following strings:
  • 360safe.exe
  • 360safebox.exe
  • ast.exe
  • avp.exe
  • CCenter.exe
  • ekrn.exe
  • 360safe.exe
  • 360safebox.exe
  • ast.exe
  • avp.exe
  • CCenter.exe
  • ekrn.exe
  • guard.exe
  • kasmain.exe
  • KAVPFW.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • kvmonxp.exe
  • kvprescan.exe
  • kvsrvxp.exe
  • kwatch.exe
  • McShield.exe
  • Rav.exe
  • RavMon.exe
  • RavMonD.exe
  • RavStub.exe
  • RavTask.exe
  • rfwProxy.exe
  • rfwsrv.exe
  • rfwstub.exe
  • wmain.exe
The modified Registry entries will prevent specific files from being executed.