Trojan.Win32.KillAV.gdb

From Total Malware Info

It is a trojan program that performs destructive actions on a user's computer. It is a Windows DLL (PE-DLL file). Its size is 9,728 bytes. It is written in C++.

MD5: 8E10BC3D3033A4FDC987F85C7FFA40FF

SHA1: 24DD370B3A6FF535A6A2468F9AA4AF801B62A053

Payload

The malicious DLL exports the function called "testall". This function implements a functionality described below.

If the process "avp.exe" is found in the infected system, the trojan will attempt to unload the following modules from address space of this process:

kavbase.kdl
webav.kdl
vlns.kdl
mark.kdl
klavemu.kdl
kjim.kdl

Then the trojan disables an automatic start of the service "avp". For this purpose the trojan runs the command:

sc config avp start= disabled

Then the process "avp.exe" is terminated by using the system utility "taskkill.exe":

taskkill.exe /f/t/im avp.exe

Next the trojan performs search and termination of the following processes:

avp.exe
safeboxTray.exe
360Safebox.exe
360tray.exe
antiarp.exe
ekrn.exe
RsAgent.exe
mfeann.exe
egui.exe
RavMon.exe
RavMonD.exe
RavTask.exe
CCenter.exe
RavStub.exe
RsTray.exe
ScanFrm.exe
Rav.exe
AgentSvr.exe
CCenter.exe
QQDoctor.exe
McProxy.exe
mcshield.exe
rsnetsvr.exe
naPrdMgr.exe
MpfSrv.exe
MPSVC.exe
MPSVC1.exe
KISSvc.exe
KPfwSvc.exe
kmailmon.exe
KavStart.exe
engineserver.exe
KPFW32.exe
KVSrvXP.exe
ccSetMgr.exe
ccEvtMgr.exe
defwatch.exe
rtvscan.exe
ccapp.exe
vptray.exe
mcupdmgr.exe
mfevtps.exe
mcsysmon.exe
mcmscsvc.exe
mcnasvc.exe
mcagent.exe
vstskmgr.exe
FrameworkService.exe
mcshell.exe
mcinsupd.exe
bdagent.exe
livesrv.exe
vsserv.exe
xcommsvr.exe
ccSvcHst.exe
SHSTAT.exe
McTray.exe
udaterui.exe
KAVStart.exe
Uplive.exe
KWatch.exe
QQDoctorRtp.exe
DrUpdate.exe
rfwsrv.exe
RegGuide.exe
MPSVC2.exe
MPMon.exe
LiveUpdate360.exe
rssafety.exe
KABackReport.exe
KSWebShield.exe
360delays.exe
qutmserv.exe
kaccore.exe
360SoftMgrSvc.exe
360realpro.exe
DSMain.exe
360sd.exe
360rp.exe
ZhuDongFangYu.exe
360safe.exe

In case of finding the processes:

360rp.exe
ravmond.exe

the trojan stops and deletes the services:

360rp
rsravmon 

If the process "ekrn.exe" is found, the trojan will delete the service "ekrn" by using the following command:

cmd /c sc delete ekrn

If the process "avp.exe" is found, the trojan will run the commands:

cmd /c sc config avp start= disabled
taskkill.exe /im avp.exe /f

Thus, the trojan disables an automatic start of the service "avp" as well as terminates the process "avp.exe".

After this, the trojan terminates.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Perform a full system scan with an antivirus with updated databases.