Home / malwarePDF  

Trojan:Win32/Killav.GO


First posted on 26 June 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Killav.GO.

Explanation :



Trojan:Win32/Killav.GO is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Installation When executed, Trojan:Win32/Killav.GO copies itself to %windir%\flashplayer12.exe. The malware modifies the following registry entries to ensure that its copy executes at each Windows start:

Adds value: "FlashPlayer12 Update"
With data: "c:\windows\flashplayer12.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run The malware creates the following files on an affected computer:

  • %windir%\kbr9098798799.log
  • %windir%\twain.dll.exe - detected as Trojan:Win32/Killav.GO
  • c:\documents and settings\administrator\local settings\temp\7.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\8.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\9.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\a.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\b.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\c.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\d.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\e.tmp\basebat.bat
  • c:\documents and settings\administrator\local settings\temp\f.tmp\basebat.bat
Payload Modifies system security settings Trojan:Win32/Killav.GO modifies the affected computer system's security settings by making the following changes to the registry:

    • The malware may attempt to disable Firewall notifications from the Windows Security Center by making the following registry modification:

      Adds value: "FirewallDisableNotify"
      With data: "1"
      To subkey: HKLM\SOFTWARE\Microsoft\Security Center
    • The malware may attempt to disable antivirus notifications from the Windows Security Center by making the following registry modification:

      Adds value: "AntiVirusDisableNotify"
      With data: "1"
      To subkey: HKLM\SOFTWARE\Microsoft\Security Center
    • The malware may attempt to stop the Windows Security Center from displaying automatic update alerts by making the following registry modification:

      Adds value: "UpdatesDisableNotify"
      With data: "1"
      To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Modifies browser settings The malware modifies web browser settings on the infected computer by making the following registry modification:

Adds value: "AutoConfigURL"
With data: ""
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Contacts remote hostThe malware may contact a remote host at 50.97.3.104 using port 80. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1 45a2de9437987eb288fcee723b88e0a43d2bd0e3.

Last update 26 June 2012

 

TOP

Malware :

Family: