Trojan.AVKill.8825

Technical Information

Malicious functions:

Executes the following:

<SYSTEM32>\tskill.exe /A tmp*
<SYSTEM32>\tskill.exe /A issvc
<SYSTEM32>\tskill.exe /A nisum*
<SYSTEM32>\tskill.exe /A tmn*
<SYSTEM32>\tskill.exe /A pop*
<SYSTEM32>\tskill.exe /A cpd*
<SYSTEM32>\tskill.exe /A pcc*
<SYSTEM32>\tskill.exe /A loge*
<SYSTEM32>\tskill.exe /A cc*
<SYSTEM32>\tskill.exe /A minilog
<SYSTEM32>\tskill.exe /A zlclien*
<SYSTEM32>\tskill.exe /A norton*
<SYSTEM32>\tskill.exe /A npfmn*
<SYSTEM32>\tskill.exe /A ccc*
<SYSTEM32>\tskill.exe /A norton au*
<SYSTEM32>\tskill.exe /A ad-*
<SYSTEM32>\tskill.exe /A scan*
<SYSTEM32>\tskill.exe /A sweep*
<SYSTEM32>\tskill.exe /A safe*
<SYSTEM32>\tskill.exe /A offg*
<SYSTEM32>\tskill.exe /A norm*
<SYSTEM32>\tskill.exe /A avas*
<SYSTEM32>\tskill.exe /A realm*
<SYSTEM32>\tskill.exe /A panda*
<SYSTEM32>\tskill.exe /A padmin
<SYSTEM32>\tskill.exe /A pav*
<SYSTEM32>\tskill.exe /A avsch*
<SYSTEM32>\tskill.exe /A virus*
<SYSTEM32>\tskill.exe /A syman*
<SYSTEM32>\tskill.exe /A sche*
<SYSTEM32>\tskill.exe /A upd*
<SYSTEM32>\tskill.exe /A F-*
<SYSTEM32>\tskill.exe /A nav*
<SYSTEM32>\tskill.exe /A nv*
<SYSTEM32>\tskill.exe /A ESAFE
<SYSTEM32>\tskill.exe /A def*
<SYSTEM32>\tskill.exe /A BLACKICE
<SYSTEM32>\tskill.exe /A cle
<SYSTEM32>\tskill.exe /A OUTPOST
<SYSTEM32>\tskill.exe /A bullguard
<SYSTEM32>\tskill.exe /A spy*
<SYSTEM32>\cmd.exe /c ""%TEMP%\1.tmp\imti.bat""
<SYSTEM32>\tskill.exe /A PersFw
<SYSTEM32>\tskill.exe /A SAFEWEB
<SYSTEM32>\tskill.exe /A ZONEALARM
<SYSTEM32>\tskill.exe /A KAV*
<SYSTEM32>\tskill.exe /A mghtml
<SYSTEM32>\tskill.exe /A mcafe*
<SYSTEM32>\tskill.exe /A msmp*
<SYSTEM32>\tskill.exe /A msiexec
<SYSTEM32>\tskill.exe /A zauinst
<SYSTEM32>\tskill.exe /A zap*
<SYSTEM32>\tskill.exe /A isafe
<SYSTEM32>\tskill.exe /A gcasDt*
<SYSTEM32>\tskill.exe /A ash*
<SYSTEM32>\tskill.exe /A avg*
<SYSTEM32>\tskill.exe /A kav
<SYSTEM32>\tskill.exe /A aswupdsv
<SYSTEM32>\tskill.exe /A guar*
<SYSTEM32>\tskill.exe /A guard*
<SYSTEM32>\tskill.exe /A ewid*

Terminates or attempts to terminate

the following user processes:

GUARD.EXE
ashAvSrv.exe
ashAvast.exe
ccapp.exe
zlclient.exe
zapro.exe
ash.exe
NAVAPW32.EXE
outpost.exe
ZONEALARM.EXE
AVGCTRL.EXE
AVGCC32.EXE
avgcc.exe

Modifies file system :

Creates the following files:

%TEMP%\1.tmp\imti.bat

Deletes the following files:

%WINDIR%\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\e07cde84973872e4ac1d73e0b5f90db6\ComSvcConfig.ni.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\WsatConfig\7d2a3adbdcb675f872eb2dbf21f73596\WsatConfig.ni.exe
%WINDIR%\assembly\NativeImages_v4.0.30319_32\Microsoft.Workflow.#\933a58f14dc22accff6d49189db41e7c\Microsoft.Workflow.Compiler.ni.exe
%WINDIR%\assembly\NativeImages_v4.0.30319_32\dfsvc\332105a018674f583e57c47e643a742d\dfsvc.ni.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\9469981a17c01dd154c540127e678b35\PresentationFontCache.ni.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\SMSvcHost\b9c1a29e684bc02e49226ff1e9eec253\SMSvcHost.ni.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\6781b87c8d3b55e6120b1e86bea6e040\ServiceModelReg.ni.exe
%WINDIR%\assembly\NativeImages_v4.0.30319_32\MSBuild\79d930fe34d55c44d00005a1227a434d\MSBuild.ni.exe
%WINDIR%\Installer\{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}\ARPPRODUCTICON.exe
%WINDIR%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
%WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
%WINDIR%\Microsoft.NET\NETFXRepair.exe
%WINDIR%\assembly\NativeImages_v4.0.30319_32\WsatConfig\42a01df838a22abf7165b7375d622117\WsatConfig.ni.exe
%WINDIR%\assembly\NativeImages_v4.0.30319_32\SMSvcHost\49e65c90ae6199360d5ec36ff8ed04d5\SMSvcHost.ni.exe
%WINDIR%\inf\unregmp2.exe
%WINDIR%\Help\Tours\mmTour\tour.exe
%WINDIR%\sleep.exe
%WINDIR%\sfk.exe
%WINDIR%\twunk_16.exe
%WINDIR%\TASKMAN.EXE
%WINDIR%\hh.exe
%WINDIR%\explorer.exe
%WINDIR%\regedit.exe
%WINDIR%\NOTEPAD.EXE
%WINDIR%\twunk_32.exe
%WINDIR%\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
%WINDIR%\$NtUninstallWIC$\spuninst\spuninst.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\dfsvc\a2865dcec9c5d3cc9c55f026cbad6fcc\dfsvc.ni.exe
%WINDIR%\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe
%WINDIR%\winhlp32.exe
%WINDIR%\winhelp.exe
%WINDIR%\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe
%WINDIR%\$MSI31Uninstall_KB893803v2$\msiexec.exe

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial