Home / malwarePDF  

KillWin.AR


First posted on 01 March 2007.
Source: SecurityHome

Aliases :

KillWin.AR is also known as TROJ_KILLWIN.AI, TR/Shutdown.G.1, Trojan.BAT.KillWin.ar, W32/Smalldrp.GDI.

Explanation :

KillWin.AR, a variant of KillWin, is a Trojan. KillWin.AR disables certain features of the Operating System and copies itself to the startup folder. KillWin.AR outputs a message.

Once KillWin.AR has been executed, it will delete the first four boot entries on the system.


Here is an example of the boot entries:




KillWinn.AR also deletes the following system file:


This file is required in order to succesfully boot the operating system.




After which, it will drop the executed copy of itself in the startup folder.


As part of its payload it will show the following file message:




As a finale to its malicious act, it will shutdown the computer and sets its shutdown timeout to 1 second:




KillWinn.AR is able to do these things with the help of a batch file, which is created in the following path:


The file attribute is set to hidden.

Last update 01 March 2007

 

TOP

Malware :

Family: