Threat behavior
Trojan:WinNT/Killav.A is a trojan rootkit that deletes files from kernel mode.
Installation
- %windir%\system32\drivers\avgbkill.sys
Payload
Deletes files
Trojan:WinNT/Killav.A is installed in the computer as a device with the name "360SuperKill". It deletes the following files from kernel mode, some related to the security software "GBPlugin", a Brazilian online-banking protection software:
- %ProgramFiles%\Alwil Software\Avast4\VisthU\pd.exe
- %ProgramFiles%\AVG\AVG8\avgupd.exe
- %ProgramFiles%\Avira\AntiVir Desktop\avscan.exe
- %ProgramFiles%\Avira\AntiVir Desktop\avupgs\vc.exe
- %ProgramFiles%\GbPlugin\bb.gpc
- %ProgramFiles%\GbPlugin\cef.gpc
- %ProgramFiles%\GbPlugin\gbieh.dll
- %ProgramFiles%\GbPlugin\gbieh.gmd
- %ProgramFiles%\GbPlugin\gbiehcef.dll
- %ProgramFiles%\GbPlugin\gbiehuni.dll
- %ProgramFiles%\GbPlugin\gbpdist.dll
- %ProgramFiles%\GbPlugin\gbpkm.sys
- %ProgramFiles%\GbPlugin\uni.gpc
- %ProgramFiles%\Scpad\scpIBCfg.bin
- %ProgramFiles%\Scpad\scpLIB.dll
- %ProgramFiles%\Scpad\scpMIB.dll
- %ProgramFiles%\Scpad\scpsssh2.dll
- %ProgramFiles%\Scpad\sshib.dll
- %windir%\Downloaded Program Files\abn.gpc
- %windir%\Downloaded Program Files\erma.inf
- %windir%\Downloaded Program Files\gbieh.gmd
- %windir%\Downloaded Program Files\gbiehabn.dll
- %windir%\Downloaded Program Files\gbiehuni.dll
- %windir%\Downloaded Program Files\GbPluginABN.inf
- %windir%\Downloaded Program Files\GbPluginuni.inf
- %windir%\Downloaded Program Files\scpsssh2.inf
- %windir%\Downloaded Program Files\uni.gpc
- <system folder>\drivers\gbpkm.sys
- <system folder>\scpsssh2.dll
Analysis by Tim Liu
Prevention
