Home / malwarePDF  

Trojan:WinNT/Killav.G


First posted on 14 June 2012.
Source: Microsoft

Aliases :

Trojan:WinNT/Killav.G is also known as Rootkit.Win32.Agent.czrt (Kaspersky), W32/Rootkit.DWUY (Norman), Rootkit.Agent!wgGwnhhtYJU (VirusBuster), PSW.OnlineGames4.ISD (AVG), TR/Rootkit.Gen (Avira), Trojan.PWS.Wsgame.35104 (Dr.Web), Win32/PSW.OnLineGames.PZJ trojan (ESET), Rootkit.Win32.Agent (Ikarus), PWS-Mmorpg!b2x (McAfee), RootKit.Win32.KillAV.aq (Rising AV), Mal/Rootkit-AZ (Sophos), Trojan.Cryect (Symantec).

Explanation :



Trojan:WinNT/Killav.G is a malicious system driver that acts as a malicious component for PWS:Win32/OnLineGames variants, such as PWS:Win32/OnLineGames.LH and PWS:Win32/OnLineGames.LY.



Installation

Trojan:WinNT/Killav.G is usually in your computer with the file name "<system folder>\drivers\ahnurl.sys".

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Trojan:WinNT/Killav.G is registered as a system service by creating the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ahnurl
Sets value: "Type"
With data: "dword:00000001"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "<system folder>\drivers\ahnurl.sys"
Sets value: "DisplayName"
With data: "ahnurl"



Payload

Lowers computer security

Trojan:WinNT/Killav.G can delete or terminate the following security-related processes and files:

  • alyac.aye
  • ashupd.exe
  • avastsvc.exe
  • avastui.exe
  • avp.exe
  • avsx.exe
  • ayagent.aye
  • ayagent.exe
  • ayrtsrv.aye
  • ayrtsrv.exe
  • ayservicent.aye
  • ayupdate.aye
  • ayupdsrv.aye
  • ayupdsrv.exe
  • mupdate2.exe
  • naveragent.exe
  • nsavsvc.exe
  • nsavsvc.npc
  • nsvmon.exe
  • nsvmon.npc
  • nvcagent.exe
  • nvcagent.npc
  • nvcupgrader.exe
  • nvcupgrader.npc
  • ole32.dll
  • systemroot
  • v3light.exe
  • v3lrun.exe
  • v3lsvc.exe
  • v3lsvc/exe
  • v3ltray.exe
  • v3medic.exe
Other information

As a part of its stealth routine, Trojan:WinNT/Killav.G may hook the following APIs:

  • NtMapViewOfSection
  • ZwEnumerateKey
  • ZwEnumerateValueKey
  • ZwMapViewOfSection
  • ZwQueryDirectoryFile




Analysis by Ric Robielos

Last update 14 June 2012

 

TOP