Threat behavior
Trojan:Win32/Killav.AF is a trojan that terminates a large number of security-related processes, including those for antivirus, monitoring, or debugging tools.
Installation
Upon execution, Trojan:Win32/Killav.AF creates a copy of itself as %windir%\winlogon.exe. Note that there is a legitimate Windows file also named winlogon.exe, which is located in the Windows system folder.
To enable its dropped copy to run every time Windows starts, it creates the following registry entry:
Adds value: "W1N32.DLL"
With data: "%windir%\winlogon.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Terminates Security Processes
Trojan:Win32/Killav.AF attempts to terminates a large number of security-related processes, including the following:
ACKWIN32.EXE
ANTI-TROJAN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVP.EXE
AVP32.EXE
AVPM.EXE
AVSYNMGR.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
BLACKICE.EXE
CLEANER.EXE
CLEANER3.EXE
DEFALERT.EXE
DEFWATCH.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FRW.EXE
GUARD.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
ICMON.EXE
LDNETMON.EXE
MONITOR.EXE
NAVAPSVC.EXE
NAVW32.EXE
NETUTILS.EXE
NPSCHECK.EXE
PCCNTMON.EXE
RESCUE.EXE
RULAUNCH.EXE
SCAN32.EXE
SYMPROXYSVC.EXE
SYMTRAY.EXE
VET32.EXE
VIR-HELP.EXE
VSMAIN.EXE
VSSTAT.EXE
WRADMIN.EXE
WRCTRL.EXE
ZONEALARM.EXE
_AVP32.EXE
Note that the lost of processes that this trojan is designed to terminate is actually much longer than the above list. The above list has been edited for brevity.
Analysis by Patrik Vicol
Prevention