Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.KillFiles.64694

Added to the Dr.Web virus database: 2019-10-18

Virus description added:

Technical Information

Malicious functions
Executes the following
  • '<SYSTEM32>\net.exe' stop lanmanserver / y
  • '<SYSTEM32>\taskkill.exe' /f /t /im rundllhost.exe
  • '<SYSTEM32>\taskkill.exe' /f /t /im dlllhost.exe
  • '<SYSTEM32>\taskkill.exe' /f /t /im KvMonXP.exe
  • '<SYSTEM32>\taskkill.exe' /f /t /im lsars.exe /im lsacs.exe
  • '<SYSTEM32>\taskkill.exe' /f /im dllhots.exe
  • '<SYSTEM32>\taskkill.exe' /f /im d11hots.exe
Terminates or attempts to terminate
the following system processes:
  • <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
  • %TEMP%\1.tmp\2.bat
  • <SYSTEM32>\dllcache\avifile.dll.new
  • <SYSTEM32>\dllcache\commdlg.dll.new
  • <SYSTEM32>\dllcache\keyboard.drv.new
  • <SYSTEM32>\dllcache\lzexpand.dll.new
  • <SYSTEM32>\dllcache\mciavi.drv.new
  • <SYSTEM32>\dllcache\mciseq.drv.new
  • <SYSTEM32>\dllcache\mciwave.drv.new
  • <SYSTEM32>\dllcache\mmsystem.dll.new
  • <SYSTEM32>\dllcache\mmtask.tsk.new
  • <SYSTEM32>\dllcache\mouse.drv.new
  • <SYSTEM32>\dllcache\msvideo.dll.new
  • <SYSTEM32>\dllcache\olecli.dll.new
  • <SYSTEM32>\dllcache\olesvr.dll.new
  • <SYSTEM32>\dllcache\shell.dll.new
  • <SYSTEM32>\dllcache\sound.drv.new
  • <SYSTEM32>\dllcache\stdole.tlb.new
  • <SYSTEM32>\dllcache\system.drv.new
  • <SYSTEM32>\dllcache\tapi.dll.new
  • <SYSTEM32>\dllcache\timer.drv.new
  • <SYSTEM32>\dllcache\ver.dll.new
  • <SYSTEM32>\dllcache\vga.drv.new
  • <SYSTEM32>\dllcache\avicap.dll.new
  • <SYSTEM32>\dllcache\wfwnet.drv.new
  • %WINDIR%\system\winspool.drv.new
  • %WINDIR%\system\vga.drv.new
  • %WINDIR%\system\avicap.dll.new
  • %WINDIR%\system\avifile.dll.new
  • %WINDIR%\system\commdlg.dll.new
  • %WINDIR%\system\keyboard.drv.new
  • %WINDIR%\system\lzexpand.dll.new
  • %WINDIR%\system\mciavi.drv.new
  • %WINDIR%\system\mciseq.drv.new
  • %WINDIR%\system\mciwave.drv.new
  • %WINDIR%\system\mmsystem.dll.new
  • %WINDIR%\system\mmtask.tsk.new
  • %WINDIR%\system\mouse.drv.new
  • %WINDIR%\system\msvideo.dll.new
  • %WINDIR%\system\olecli.dll.new
  • %WINDIR%\system\olesvr.dll.new
  • %WINDIR%\system\shell.dll.new
  • %WINDIR%\system\sound.drv.new
  • %WINDIR%\system\stdole.tlb.new
  • %WINDIR%\system\system.drv.new
  • %WINDIR%\system\tapi.dll.new
  • %WINDIR%\system\timer.drv.new
  • %WINDIR%\system\ver.dll.new
  • %WINDIR%\system\wfwnet.drv.new
  • <SYSTEM32>\dllcache\winspool.drv.new
Deletes the following files
  • %WINDIR%\system\avicap.dll
  • %WINDIR%\system\winspool.drv
  • %WINDIR%\system\wfwnet.drv
  • %WINDIR%\system\vga.drv
  • %WINDIR%\system\ver.dll
  • %WINDIR%\system\timer.drv
  • %WINDIR%\system\tapi.dll
  • %WINDIR%\system\system.drv
  • %WINDIR%\system\stdole.tlb
  • %WINDIR%\system\sound.drv
  • %WINDIR%\system\shell.dll
  • %WINDIR%\system\setup.inf
  • <DRIVERS>\etc\hosts
  • %WINDIR%\system\olesvr.dll
  • %WINDIR%\system\msvideo.dll
  • %WINDIR%\system\mouse.drv
  • %WINDIR%\system\mmtask.tsk
  • %WINDIR%\system\mmsystem.dll
  • %WINDIR%\system\mciwave.drv
  • %WINDIR%\system\mciseq.drv
  • %WINDIR%\system\mciavi.drv
  • %WINDIR%\system\lzexpand.dll
  • %WINDIR%\system\keyboard.drv
  • %WINDIR%\system\commdlg.dll
  • %WINDIR%\system\avifile.dll
  • %WINDIR%\system\olecli.dll
  • %TEMP%\1.tmp\2.bat
Substitutes the following files
  • <SYSTEM32>\dllcache\avicap.dll.new
  • <SYSTEM32>\dllcache\vga.drv.new
  • <SYSTEM32>\dllcache\ver.dll.new
  • <SYSTEM32>\dllcache\timer.drv.new
  • <SYSTEM32>\dllcache\tapi.dll.new
  • <SYSTEM32>\dllcache\system.drv.new
  • <SYSTEM32>\dllcache\stdole.tlb.new
  • <SYSTEM32>\dllcache\sound.drv.new
  • <SYSTEM32>\dllcache\shell.dll.new
  • <SYSTEM32>\dllcache\olesvr.dll.new
  • <SYSTEM32>\dllcache\olecli.dll.new
  • <SYSTEM32>\dllcache\msvideo.dll.new
  • <SYSTEM32>\dllcache\mouse.drv.new
  • <SYSTEM32>\dllcache\mmtask.tsk.new
  • <SYSTEM32>\dllcache\mmsystem.dll.new
  • <SYSTEM32>\dllcache\mciwave.drv.new
  • <SYSTEM32>\dllcache\mciseq.drv.new
  • <SYSTEM32>\dllcache\mciavi.drv.new
  • <SYSTEM32>\dllcache\lzexpand.dll.new
  • <SYSTEM32>\dllcache\keyboard.drv.new
  • <SYSTEM32>\dllcache\commdlg.dll.new
  • <SYSTEM32>\dllcache\avifile.dll.new
  • <SYSTEM32>\dllcache\wfwnet.drv.new
  • <SYSTEM32>\dllcache\winspool.drv.new
Substitutes the HOSTS file.
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Executes the following
  • '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\2.bat" <Full path to file>"
  • '<SYSTEM32>\sc.exe' stop "Smart Card Report"
  • '<SYSTEM32>\sc.exe' delete "mssecsvc2.1"
  • '<SYSTEM32>\sc.exe' stop "mssecsvc2.1"
  • '<SYSTEM32>\sc.exe' delete "mssecsvc2.0"
  • '<SYSTEM32>\sc.exe' stop "mssecsvc2.0"
  • '<SYSTEM32>\sc.exe' delete Microsarver
  • '<SYSTEM32>\sc.exe' stop Microsarver
  • '<SYSTEM32>\sc.exe' stop MicrosotMaims
  • '<SYSTEM32>\sc.exe' delete MicrosotMaims
  • '<SYSTEM32>\sc.exe' delete MicrosotMais
  • '<SYSTEM32>\sc.exe' stop MicrosotMais
  • '<SYSTEM32>\sc.exe' delete ServicesMain
  • '<SYSTEM32>\sc.exe' stop ServicesMain
  • '<SYSTEM32>\sc.exe' stop Hostserver
  • '<SYSTEM32>\sc.exe' stop "jgumfoxl update"
  • '<SYSTEM32>\sc.exe' delete HostManger
  • '<SYSTEM32>\sc.exe' stop HostManger
  • '<SYSTEM32>\sc.exe' delete "clr_optimzation_v4.0.52738 _64"
  • '<SYSTEM32>\sc.exe' stop "clr_optimzation_v4.0.52738 _64"
  • '<SYSTEM32>\sc.exe' delete Famserver
  • '<SYSTEM32>\sc.exe' stop Famserver
  • '<SYSTEM32>\sc.exe' delete FormManger
  • '<SYSTEM32>\sc.exe' stop FormManger
  • '<SYSTEM32>\sc.exe' delete NetPipeAtcivator
  • '<SYSTEM32>\sc.exe' stop NetPipeAtcivator
  • '<SYSTEM32>\sc.exe' delete ServiceMaims
  • '<SYSTEM32>\sc.exe' stop ServiceMaims
  • '<SYSTEM32>\sc.exe' delete Hostserver
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\WmiApprsv\csrss.exe" /d everyone
  • '<SYSTEM32>\sc.exe' delete "jgumfoxl update"
  • '<SYSTEM32>\attrib.exe' +s +h +a +r <DRIVERS>\etc\hosts
  • '<SYSTEM32>\attrib.exe' -s -h -a -r <DRIVERS>\etc\hosts
  • '<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /g users:f
  • '<SYSTEM32>\netsh.exe' ipsec static set policy name=Aliyun assign=y
  • '<SYSTEM32>\netsh.exe' ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
  • '<SYSTEM32>\netsh.exe' ipsec static add filteraction name=deny action=block
  • '<SYSTEM32>\netsh.exe' ipsec static add filteraction name=Allow action=permit
  • '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
  • '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
  • '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
  • '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
  • '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
  • '<SYSTEM32>\netsh.exe' ipsec static add filterlist name=denylist
  • '<SYSTEM32>\sc.exe' delete ServiceMais
  • '<SYSTEM32>\sc.exe' delete "Smart Card Report"
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='lsass.exe' and ExecutablePath='C:\\Windows\\Fonts\\lsass.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Fonts\\svchost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\csrss.exe" /g everyone:f
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\svchost.exe" /g everyone:f
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\conhost.exe" /g everyone:f
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\dlllhost.exe" /g everyone:f
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\rundllhost.exe" /g everyone:f
  • '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\csrss.exe
  • '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\svchost.exe
  • '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\conhost.exe
  • '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\dlllhost.exe
  • '<SYSTEM32>\netsh.exe' ipsec static add policy name=Aliyun
  • '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\rundllhost.exe
  • '<SYSTEM32>\sc.exe' stop ServiceMais
  • '<SYSTEM32>\sc.exe' delete ServiceSais
  • '<SYSTEM32>\sc.exe' stop ServiceSais
  • '<SYSTEM32>\sc.exe' delete COMSysCts
  • '<SYSTEM32>\cmd.exe' /S /D /c" echo y"
  • '<SYSTEM32>\attrib.exe' +s +h +r %WINDIR%\svchost.exe
  • '<SYSTEM32>\sc.exe' delete clr_optimization_v4.0.30318_64
  • '<SYSTEM32>\sc.exe' stop clr_optimization_v4.0.30318_64
  • '<SYSTEM32>\sc.exe' delete RpcEpt
  • '<SYSTEM32>\sc.exe' stop RpcEpt
  • '<SYSTEM32>\sc.exe' delete lanmanserver
  • '<SYSTEM32>\sc.exe' config lanmanserver start= DISABLED
  • '<SYSTEM32>\net1.exe' stop lanmanserver / y
  • '<SYSTEM32>\sc.exe' delete "Windows TrustedInstaller"
  • '<SYSTEM32>\sc.exe' stop "Windows TrustedInstaller"
  • '<SYSTEM32>\sc.exe' delete clr_optimization_v4.0.33018_64
  • '<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe" /d everyone
  • '<SYSTEM32>\sc.exe' stop COMSysCts
  • '<SYSTEM32>\sc.exe' delete wmiApSrv
  • '<SYSTEM32>\sc.exe' stop wmiApSrv
  • '<SYSTEM32>\sc.exe' delete WmiAppSvr
  • '<SYSTEM32>\sc.exe' stop WmiAppSvr
  • '<SYSTEM32>\sc.exe' delete WmiAppSrv
  • '<SYSTEM32>\sc.exe' stop WmiAppSrv
  • '<SYSTEM32>\sc.exe' delete WmSrv
  • '<SYSTEM32>\sc.exe' stop WmSrv
  • '<SYSTEM32>\sc.exe' delete WinTcpAutoProxySvc
  • '<SYSTEM32>\sc.exe' stop WinTcpAutoProxySvc
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='LDE.exe' and ExecutablePath='C:\\ProgramData\\WinTcpAutoProxySvc\\LDE.exe'" call Terminate
  • '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f.
  • '<SYSTEM32>\sc.exe' stop clr_optimization_v4.0.33018_64
  • '<SYSTEM32>\netsh.exe' ipsec static add filterlist name=Allowlist
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe" /d everyone
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.33018_64\\svchost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
  • '<SYSTEM32>\sc.exe' delete ServiceSaims
  • '<SYSTEM32>\sc.exe' stop ServiceSaims
  • '<SYSTEM32>\sc.exe' delete MicrosotSaims
  • '<SYSTEM32>\sc.exe' stop MicrosotSaims
  • '<SYSTEM32>\sc.exe' delete MicrosotSais
  • '<SYSTEM32>\sc.exe' stop MicrosotSais
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='WmiApSrv.exe' and ExecutablePath='C:\\Windows\\sysnative\\svchost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='WmiApSrv.exe' and ExecutablePath='C:\\Windows\\system32\\wbem\\WmiApSrv.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSvr\\csrss.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\svchost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\svchost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\clr_optimization_v4.0.30318_64\\svchost.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiappsrv\\svchost.exe'" call Terminate
  • '<SYSTEM32>\cacls.exe' %WINDIR%\svchost.exe /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\WmiAppSvr\csrss.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiApprsv\svchost.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiAppSvr\svchost.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiAppSrv\svchost.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\tasksche.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiAppSrv\csrss.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "C:\ProgramData\clr_optimization_v4.0.33018_64\svchost.exe" /d everyone
  • '<SYSTEM32>\cacls.exe' "%WINDIR%\Temp\Networks\taskmgr.exe" /d everyone
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='taskmgr.exe' and ExecutablePath='C:\\Windows\\Temp\\Networks\\taskmgr.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\csrss.exe'" call Terminate
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\clr_optimization_v4.0.30318_64\\csrss.exe'" call Terminate
  • '<SYSTEM32>\cacls.exe' "<SYSTEM32>\wbem\WmiApSrv.exe" /d everyone
  • '<SYSTEM32>\ipconfig.exe' /flushdns

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android