Trojan:BAT/Killav.D is a detection for a batch script which attempts to terminate the Windows Defender process MSASCui.exe.
It has been observed being installed by variants of Trojan:Win32/FakeXPA
, which also add a registry entry to ensure that the script is run upon system startup.
For example, one variant of Trojan:Win32/FakeXPA, going by the name of “Green Antivirus”, installs the file to %AllUsersAppData%\gav\wer.bat and creates the following registry entry:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: <random digits> (eg "67569387646557683")
With data: %AllUsersAppData%\gav\wer.bat
Note - %AllUsersAppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %AllUsersAppData% directory is '\documents and settings\all users\application data\'.
Analysis by David Wood
The following system changes may indicate the presence of this malware: