Home / malware Trojan:Win32/Killav.GO
First posted on 26 June 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Killav.GO.
Explanation :
Trojan:Win32/Killav.GO is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Installation When executed, Trojan:Win32/Killav.GO copies itself to %windir%\flashplayer12.exe. The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "FlashPlayer12 Update"
With data: "c:\windows\flashplayer12.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run The malware creates the following files on an affected computer:
Payload Modifies system security settings Trojan:Win32/Killav.GO modifies the affected computer system's security settings by making the following changes to the registry:
- %windir%\kbr9098798799.log
- %windir%\twain.dll.exe - detected as Trojan:Win32/Killav.GO
- c:\documents and settings\administrator\local settings\temp\7.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\8.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\9.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\a.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\b.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\c.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\d.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\e.tmp\basebat.bat
- c:\documents and settings\administrator\local settings\temp\f.tmp\basebat.bat
- The malware may attempt to disable Firewall notifications from the Windows Security Center by making the following registry modification:
Adds value: "FirewallDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
- The malware may attempt to disable antivirus notifications from the Windows Security Center by making the following registry modification:
Adds value: "AntiVirusDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security CenterModifies browser settings The malware modifies web browser settings on the infected computer by making the following registry modification:
- The malware may attempt to stop the Windows Security Center from displaying automatic update alerts by making the following registry modification:
Adds value: "UpdatesDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "AutoConfigURL"
With data: ""
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Contacts remote hostThe malware may contact a remote host at 50.97.3.104 using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 45a2de9437987eb288fcee723b88e0a43d2bd0e3.Last update 26 June 2012