Malware Information

[listertatuhack]

Be carefull all this is nasty and out there one mean Trojan.....

Trojan:Win32/Killav.DK

 

Aliases

Win32/TrojanDownloader.Agent.PJO

Trojan-Downloader.Win32.Agent.ckkv

Trj/Downloader.MDW

 

Technical Information (Analysis)

Trojan:Win32/Killav.DK is a malware that may arrive as a DLL file that overwrites a legitimate system file. It drops and downloads other malware, and it prevents security products from functioning properly.

 

Installation

Trojan:Win32/Killav.DK is a malware component often bundled with other malware, such as Win32/Viking. It may arrive as a DLL file and is typically installed by other malware by overwriting 'appmgmts.dll' in the Windows system folder.

 

Drops additional malware

Once installed and executed, Trojan:Win32/Killav.DK drops and loads a driver detected as Trojan:WinNT/Killav.DK. The driver may be dropped with any of the following names:

 

<system folder>\drivers\klan.sys

<system folder>\drivers\wmisvc.sys

 

Prevents security products from functioning properly

Trojan:Win32/Killav.DK clears the system's service table in an effort to remove hooks put in place by security products, if they exist.

 

It also adds the following registry entry to certain keys to prevent security products from running:

 

Adds value: "Debugger"

With data: "ntsd -d"

In subkeys: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<security product process name>

 

 

 

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following files:

<system folder>\drivers\klan.sys

<system folder>\drivers\wmisvc.sys

The presence of the following registry modification:

Adds value: "Debugger"

With data: "ntsd -d"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<security product process name>

 

Downloads additional malware

Trojan:Win32/Killav.DK downloads files from one or more of the following domains:

 

dy2004.com

ipshougou.com

poloi999.cn

 

where '<security product process name>' may be any of the following:

 

360hotfix.exe

360rpt.exe

360safe.exe

360safebox.exe

360tray.exe

agentsvr.exe

apvxdwin.exe

ast.exe

avcenter.exe

avengine.exe

avgnt.exe

avguard.exe

avltmain.exe

avp32.exe

avtask.exe

bdagent.exe

bdwizreg.exe

boxmod.exe

ccapp.exe

ccenter.exe

ccevtmgr.exe

ccregvfy.exe

ccsetmgr.exe

cqw32.exe

DrvAnti.exe

egui.exe

ekrn.exe

enc98.EXE

extdb.exe

frameworkservice.exe

frwstub.exe

guardfield.exe

iparmor.exe

kaccore.exe

kasmain.exe

kav32.exe

kavstart.exe

kavsvc.exe

kavsvcui.exe

kislnchr.exe

kissvc.exe

kmailmon.exe

knownsvr.exe

kpfw32.exe

kpfwsvc.exe

kregex.exe

kvfw.exe

kvmonxp.exe

kvmonxp.kxp

kvol.exe

kvprescan.exe

kvsrvxp.exe

kvwsc.exe

kvxp.kxp

kwatch.exe

livesrv.exe

mcagent.exe

mcdash.exe

mcdetect.exe

mcshield.exe

mctskshd.exe

mcvsescn.exe

mcvsshld.exe

mghtml.exe

naprdmgr.exe

navapsvc.exe

navapw32.exe

navw32.exe

nmain.exe

nod32.exe

nod32krn.exe

nod32kui.exe

npfmntor.exe

oasclnt.exe

pavsrv51.exe

pfw.exe

psctrls.exe

psimreal.exe

psimsvc.exe

qqdoctormain.exe

ras.exe

ravmon.exe

ravmond.exe

ravstub.exe

ravtask.exe

rfwcfg.exe

rfwmain.exe

rfwproxy.exe

rfwsrv.exe

rsagent.exe

rsmain.exe

rsnetsvr.exe

rssafety.exe

rstray.exe

safebank.exe

safeboxtray.exe

scan32.exe

scanfrm.exe

sched.exe

seccenter.exe

secnotifier.exe

SetupLD.exe

shstat.exe

smartup.exe

sndsrvc.exe

spbbcsvc.exe

symlcsvc.exe

tbmon.exe

uihost.exe

ulibcfg.exe

updaterui.exe

uplive.exe

vcr32.exe

vcrmon.exe

vptray.exe

vsserv.exe

vstskmgr.exe

webproxy.exe

xcommsvr.exe

xnlscn.exe

[Maxxwire]

Trojan:Win32/Killav.DK Technical Analysis and Prevention Tips from Microsoft

 

~Maxx~

[usefullll]

Good to know,thanks for the details :-D