Trojan:Win32/Killav.KV

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jan 22, 2011

Aliases

BackDoor.PcClient.2.BK

AVG

TR/Crypt.NSPM.Gen (Avira)
Trojan.Packed.196 (Dr.Web)
Backdoor.Win32.Drwolf.hmi (Rising AV)
Sus/UnkPacker (Sophos)
Packer.NSAnti.Gen (Symantec)
Mal_Nsanti-X (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.141.1712.0
Released: Dec 12, 2012

Detection initially created:
Definition: 1.93.1582.0
Released: Nov 10, 2010

Summary

Trojan:Win32/Killav.KV is a trojan that terminates security processes, replaces the Windows beep driver with its own code, and installs other malware.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

Unexpected termination of a Rising Antivirus security process named "RsTray.exe"
The presence of the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

Value: "krnlsrvc"

Data: "mebuacenter"

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Top

Technical Information (Analysis)

Trojan:Win32/Killav.KV is a trojan that terminates security processes, replaces the Windows beep driver with its own code, and installs other malware.

Installation

Trojan:Win32/Killav.KV may be dropped or installed by other malware. It also creates the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

Sets value: "krnlsrvc"

To data: "mebuacenter"

Payload

Drops other malware

When the trojan runs, it drops a DLL component, detected as Backdoor:Win32/PcClient.ZL, as the following:

%TEMP%\<random>_res.tmp - for example, "129218_res.tmp"

The trojan copies the file to the Windows system folder as a randomly named file such as "R*m*t*C.dll" where "*" is a random letter. The registry is modified to run the trojan at next Windows start as in the following example:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MebuaCent

Sets value: "ServiceDll"

To data: "<system folder>\remdtec.dll"

Terminates process

The trojan attempts to terminate the Rising antivirus security process named "RsTray.exe".

Replaces beep driver

Trojan:Win32/Killav.KV attempts to replace the original Windows beep driver file "beep.sys" with its own embedded driver. The trojan restarts the beep service to start the replaced driver. The fake driver is then used to restore System Service Descriptor Table (SSDT) hooks.

Analysis by Jingli Li

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.