Follow:

You have been re-routed to the Trojan:WinNT/KillAV.E write up because Trojan%3aWinNT%2fKillAV.E has been renamed to Trojan:WinNT/KillAV.E
 

Trojan:WinNT/KillAV.E


Trojan:WinNT/KillAV.E is a kernel mode rootkit, which is used to terminate processes related to antivirus and security software. It may also perform other functions, such as deleting files, overwriting registry entry data, and others.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:WinNT/KillAV.E is a kernel mode rootkit, which is used to terminate processes related to antivirus and security software. It may also perform other functions, such as deleting files, overwriting registry entry data, and others.
Installation
Trojan:WinNT/KillAV.E is typically dropped by other malware, such as PWS:Win32/OnLineGames.
Payload
Performs certain actions
Trojan:WinNT/KillAV.E is a rootkit provides functionality used by other malware. It is capable of performing the following functions:
 
  • Restore System Service Dispatch Table (SSDT) hooks
  • Terminate processes related to antivirus and security software
  • Delete files
  • Overwrite data for registry entries related to antivirus and security software
 
Analysis by Zhitao Zhou

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • Your antivirus program may not be working properly.

Prevention


Alert level: Severe
First detected by definition: 1.95.1515.0
Latest detected by definition: 1.179.1238.0 and higher
First detected on: Dec 10, 2010
This entry was first published on: Jan 17, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Rootkit.6280.H (AhnLab)
  • Rootkit.Win32.Agent.bipu (Kaspersky)
  • Rootkit.Agent2!cpMP978OkXs (VirusBuster)
  • Rkit/Agent.bipu (Avira)
  • Trojan.KillProc.KP (BitDefender)
  • Trojan.NtRootKit.9781 (Dr.Web)
  • Win32/KillAV.NKC (ESET)
  • Rootkit.Win32.Agent (Ikarus)
  • RootKit.Win32.Undef.cuo (Rising AV)
  • Mal/Efic-A (Sophos)
  • Hacktool.Rootkit (Symantec)