FANDOM


KillAV.C is a Trojan horse that disables antivirus and firewall applications. It is most likely used in conjunction with other threats such as a Backdoor Trojan.

Payload

When Trojan.KillAV.C runs, it performs the following actions.

Registers itself as a process. 

Copies itself to %windir%\memore.exe 

Sets the following registry value: 

"Memory Check" = memore.exe 

in the registry key: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

so that the trojan runs whenever Windows starts up. 



Opens a shell and issues the following commands:

  • NET STOP NAVAPSVC 
  • NET STOP AVPCC 
  • NET STOP PERSFW 

Looks to see if any of the following antivirus and/or firewall processes are running. If a process is found, the trojan terminates the process:

_AVPM.EXE 
_AVPCC.EXE 
ACKWIN32.EXE 
AckWin32.exe 
ADVXDWIN.EXE 
AGENTSVR.EXE 
agentw.exe 
ALERTSVC.EXE 
ALOGSERV.EXE 
AMON9X.EXE 
ANTI-TROJAN.EXE 
ANTIVIRUS.EXE 
ANTS.EXE 
APIMONITOR.EXE 
APLICA32.EXE 
apvxdwin.exe 
APVXDWIN.EXE 
ATCON.EXE 
ATGUARD.EXE 
ATGUARD.EXE 
ATRO55EN.EXE 
ATUPDATER.EXE 
ATWATCH.EXE 
AUPDATE.EXE 
AUTODOWN.EXE 
AutoTrace.exe 
AUTOUPDATE.EXE 
AVCONSOL.EXE 
AVGCC32.EXE 
Avgctrl.exe 
AVGCTRL.EXE 
AvgServ.exe 
AVGSERV.EXE 
AVGSERV9.EXE 
AVGW.EXE 
avkpop.exe 
AvkServ.exe 
avkservice.exe 
avkwctl9.exe 
AVP.EXE 
AVP32.EXE 
AVPCC.EXE 
AVPM.EXE 
avpm.exe 
Avsched32.exe 
AvSynMgr 
AVSYNMGR.EXE 
AVWINNT.EXE 
AVXMONITOR9X.EXE 
AVXMONITORNT.EXE 
AVXQUAR.EXE 
AVXQUAR.EXE.EXE 
AVXW.EXE 
BD_PROFESSIONAL.EXE 
BIDEF.EXE 
BIDSERVER.EXE 
BIPCP.EXE 
BIPCPEVALSETUP.EXE 
BISP.EXE 
BLACKD.EXE 
blackd.exe 
BLACKICE.EXE 
BlackICE.exe 
BOOTWARN.EXE 
BORG2.EXE 
BS120.EXE 
ccApp.exe 
ccEvtMgr.exe 
ccPxySvc.exe 
CDP.EXE 
CFGWIZ.EXE 
CFIADMIN.EXE 
CFIAUDIT.EXE 
CFINET.EXE 
CFINET32.EXE 
cleaner3.EXE 
CLEANPC.EXE 
CMGRDIAN.EXE 
CMON016.EXE 
CONNECTIONMONITOR.EXE 
CPD.EXE 
cpd.exe 
Claw95.exe 
CLAW95CF.EXE 
Claw95cf.exe 
CLEAN.EXE 
CLEANER.EXE 
cleaner.EXE 
CLEANER3.EXE 
CPF9X206.EXE 
CPFNT206.EXE 
CTRL.EXE 
CV.EXE 
CV.EXE 
CWNB181.EXE 
CWNTDWMO.EXE 
defalert.exe 
defscangui.exe 
DEFWATCH.EXE 
DEPUTY.EXE 
DOORS.EXE 
DPF.EXE 
DPFSETUP.EXE 
DRWATSON.EXE 
DRWEB32.EXE 
DVP95.EXE 
DVP95_0.EXE 
EFPEADM.EXE 
ENT.EXE 
ESCANH95.EXE 
ESCANHNT.EXE 
ESCANV95.EXE 
ETRUSTCIPE.EXE 
ETRUSTCIPE.exe 
EVPN.EXE 
EXANTIVIRUS-CNET.EXE 
EXPERT.EXE 
F-AGNT95.EXE 
fameh32.exe 
FAST.EXE 
fch32.exe 
fih32.exe 
FIREWALL.EXE 
FLOWPROTECTOR.EXE 
fnrb32.exe 
F-PROT.EXE 
F-PROT95.EXE 
FP-WIN.EXE 
FP-WIN_TRIAL.EXE 
FRW.EXE 
fsaa.exe 
FSAV.EXE 
fsav32.exe 
FSAV530STBYB.EXE 
FSAV530WTBYB.EXE 
FSAV95.EXE 
fsgk32.exe 
fsm32.exe 
fsma32.exe 
fsmb32.exe 
F-STOPW.EXE 
f-stopw.exe 
GBMENU.EXE 
gbmenu.exe 
gbpoll.exe 
GBPOLL.EXE 
GENERICS.EXE 
GUARD.EXE 
GUARDDOG.EXE 
HACKTRACERSETUP.EXE 
HTLOG.EXE 
HWPE.EXE 
IAMAPP.EXE 
iamapp.exe 
IAMSERV.EXE 
iamserv.exe 
IAMSTATS.EXE 
ICLOAD95.EXE 
ICLOADNT.EXE 
ICMON.EXE 
ICSUPP95.EXE 
ICSUPPNT.EXE 
IFACE.EXE 
IFW2000.EXE 
IOMON98.EXE 
IPARMOR.EXE 
IRIS.EXE 
ISRV95.EXE 
JAMMER.EXE 
JEDI.EXE 
KAVLITE40ENG.EXE 
KAVPERS40ENG.EXE 
KAVPF.exe 
KERIO-PF-213-EN-WIN.EXE 
KERIO-WRL-421-EN-WIN.EXE 
KERIO-WRP-421-EN-WIN.EXE 
KILLPROCESSSETUP161.EXE 
LDNETMON.EXE 
LDPRO.EXE 
LDPROMENU.EXE 
LDSCAN.EXE 
LOCALNET.EXE 
LOCKDOWN.EXE 
LOCKDOWN2000.EXE 
lockdown2000.exe 
LSETUP.EXE 
LUALL.EXE 
LUAU.EXE 
LUCOMSERVER.EXE 
LUINIT.EXE 
LUSPT.exe 
MCAGENT.EXE 
MCMNHDLR.EXE 
Mcshield.exe 
MCTOOL.EXE 
MCUPDATE.EXE 
MCVSRTE.EXE 
MCVSSHLD.EXE 
MFW2EN.EXE 
MFWENG3.02D30.EXE 
MGAVRTCL.EXE 
MGAVRTE.EXE 
MGHTML.EXE 
MGUI.EXE 
MINILOG.EXE 
MONITOR.EXE 
Monitor.exe 
MOOLIVE.EXE 
MPFAGENT.EXE 
MPFSERVICE.exe 
MPFTRAY.EXE 
MRFLUX.EXE 
MSCONFIG.EXE 
MSINFO32.EXE 
MSSMMC32.EXE 
MU0311AD.EXE 
MWATCH.EXE 
MWATCH.exe 
NAV 
Auto-Protect 
NAV80TRY.EXE 
NAVAP 
navapsvc.exe 
NAVAPSVC.EXE 
NAVAPW32.EXE 
NAVDX.EXE 
NAVENGNAVEX15 
NAVLU32.EXE 
NAVSTUB.EXE 
NAVW32.EXE 
Navw32.exe 
NAVWNT.EXE 
NC2000.EXE 
NCINST4.EXE 
NDD32.EXE 
NEOMONITOR.EXE 
NeoWatchLog.exe 
NETARMOR.EXE 
NETARMOR.EXE 
NETINFO.EXE 
NETMON.EXE 
NETSCANPRO.EXE 
NETSPYHUNTER-1.2.EXE 
NETSTAT.EXE 
NETUTILS.EXE 
NISSERV.EXE 
NISUM.EXE 
NMAIN.EXE 
NORMIST.EXE 
NORTON_INTERNET_SECU_3.0_407.EXE 
notstart.exe 
NPF40_TW_98_NT_ME_2K.EXE 
NPFMESSENGER.EXE 
NPROTECT.EXE 
npscheck.exe 
NPSSVC.EXE 
NSCHED32.EXE 
ntrtscan.EXE 
NTVDM.EXE 
NTXconfig.exe 
Nui.EXE 
Nupgrade.exe 
NVARCH16.EXE 
NVC95.EXE 
nvsvc32.exe 
NWINST4.EXE 
NWService.exe 
NWTOOL16.EXE 
OSTRONET.EXE 
OUTPOST.EXE 
OUTPOSTINSTALL.EXE 
OUTPOSTPROINSTALL.EXE 
PADMIN.EXE 
PANIXK.EXE 
pavproxy.exe 
PAVPROXY.EXE 
PCC2002S902.EXE 
PCC2K_76_1436.EXE 
PCCIOMON.EXE 
pccntmon.EXE 
pccwin97.EXE 
PCCWIN98.EXE 
PCDSETUP.EXE 
PCFWALLICON.EXE 
PCFWALLICON.EXE 
PCIP10117_0.EXE 
pcscan.EXE 
PDSETUP.EXE 
PERISCOPE.EXE 
PERSFW.EXE 
PERSWF.EXE 
PF2.EXE 
PFWADMIN.EXE 
PINGSCAN.EXE 
PLATIN.EXE 
POP3TRAP.EXE 
POPROXY.EXE 
POPSCAN.EXE 
PORTDETECTIVE.EXE 
PORTMONITOR.EXE 
PPINUPDT.EXE 
PPTBC.EXE 
PPVSTOP.EXE 
PROCESSMONITOR.EXE 
PROCEXPLORERV1.0.EXE 
PROGRAMAUDITOR.EXE 
PROPORT.EXE 
PROTECTX.EXE 
PSPF.EXE 
PURGE.EXE 
PVIEW95.EXE 
QCONSOLE.EXE 
QSERVER.EXE 
rapapp.exe 
RAV7.EXE 
RAV7WIN.EXE 
RAV8WIN32ENG.EXE 
REALMON.EXE 
REGEDIT.EXE 
REGEDT32.EXE 
RESCUE.EXE 
RESCUE32.EXE 
RRGUARD.EXE 
RSHELL.EXE 
RTVSCN95.EXE 
RULAUNCH.EXE 
SAFEWEB.EXE 
SBSERV.EXE 
sbserv.exe 
SCAN32.EXE 
SCRSCAN.EXE 
SD.EXE 
SETUP_FLOWPROTECTOR_US.EXE 
SETUPVAMEEVAL.EXE 
SFC.EXE 
SGSSFW32.EXE 
SH.EXE 
SHELLSPYINSTALL.EXE 
SHN.EXE 
SMC.EXE 
SOFI.EXE 
SPF.EXE 
SPHINX.EXE 
Sphinx.exe 
SPYXX.EXE 
SS3EDIT.EXE 
ST2.EXE 
SUPFTRL.EXE 
SUPPORTER5.EXE 
SWEEP95.EXE 
SweepNet 
SWEEPSRV.SYS 
SWNETSUP.EXE 
SYMPROXYSVC.EXE 
SymProxySvc.exe 
SYMTRAY.EXE 
SYSEDIT.EXE 
TASKMON.EXE 
TAUMON.EXE 
TC.EXE 
TCA.EXE 
TCM.EXE 
TDS2-98.EXE 
TDS2-NT.EXE 
TDS-3.EXE 
TFAK.EXE 
TFAK5.EXE 
TGBOB.EXE 
TITANIN.EXE 
TITANINXP.EXE 
TRACERT.EXE 
TRJSCAN.EXE 
TRJSETUP.EXE 
TROJANTRAP3.EXE 
UNDOBOOT.EXE 
UPDATE.EXE 
VBCMSERV.EXE 
vbcmserv.exe 
rtvscan.exe 
VBCONS.EXE 
VbCons.exe 
VBUST.EXE 
VBWIN9X.EXE 
VBWINNTW.EXE 
VCSETUP.EXE 
VET32.EXE 
VET32.exe 
VET95.EXE 
Vet95.exe 
VETTRAY.EXE 
VetTray.exe 
VFSETUP.EXE 
VIR-HELP.EXE 
VIRUSMDPERSONALFIREWALL.EXE 
VNLAN300.EXE 
VNPC3000.EXE 
VPC32.EXE 
VPC42.EXE 
VPFW30S.EXE 
VPTRAY.EXE 
VSCENU6.02D30.EXE 
VSCHED.EXE 
VSECOMR.EXE 
vshwin32.exe 
VSISETUP.EXE 
VSMAIN.EXE 
VSMON.EXE 
vsmon.exe 
VSSTAT.EXE 
VSWIN9XE.EXE 
VSWINNTSE.EXE 
VSWINPERSE.EXE 
W32DSM89.EXE 
W9X.EXE 
WATCHDOG.EXE 
WEBSCANX.EXE 
WEBTRAP.EXE 
WGFE95.EXE 
WHOSWATCHINGME.EXE 
WIMMUN32.EXE 
WINRECON.EXE 
WNT.EXE 
WRADMIN.EXE 
WrAdmin.exe 
WRCTRL.EXE 
WrCtrl.exe 
WSBGATE.EXE 
WYVERNWORKSFIREWALL.EXE 
XPF202EN.EXE 
ZAPRO.EXE 
zapro.exe 
ZAPSETUP3001.EXE 
ZATUTOR.EXE 
ZAUINST.EXE 
ZONALM2601.EXE 
ZONEALARM.EXE 
zonealarm.exe 
AVGNT.EXE 
AVGUARD.EXE 
AVWUPSRV.EXE
Community content is available under CC-BY-SA unless otherwise noted.