Anti-Virus Killer Trojan Created by Mallware makers!!!!

A new Retro Trojan has been created by mallware makers (:SAD)

Trojan.Win32.KillAV.cn - KernelMode Trojan.
A small Trojan program, designed for fighting against Antivirus, Firewall and Anti-malware utilities. The size of the executable file is about 5KB. If it is run, it silently performs the following actions:

  1. Creates the driver C:\WINDOWS\system32\unpr.sys, file size 2.5KB (This file is stored in the body of the Trojan)

  2. Registers the driver through the standard API, under the name of UNPR, after which it shuts down the computer.

The Trojan does not load the installed driver, which is why it’s loading will commence only after rebooting the computer. The driver implements tracking of the loading [of processes] without intercepting functions, with the help of the documented notification mechanism on loading PE files into memory (LoadImageNotifyRoutine). After receiving notice about the launching of a process, the driver compares the name of the process being launched to its database of names, which are stored in the driver (there are two databases in the driver- database of EXE file names and database of driver names)
If it finds a match, the driver opens the process and terminates it.

The Trojan blocks/terminates processes with the following names:
avp.exe avpm.exe avz.exe bdmcon.exe bdss.exe ccapp.exe ccevtmgr.exe cclaw.exe ccpxysvc.exe fsav32.exe fsbl.exe fsm32.exe gcasserv.exe iao.exe icmon.exe inetupd.exe issvc.exe kav.exe kavss.exe kavsvc.exe klswd.exe livesrv.exe mcshield.exe msssrv.exe nod32krn.exe nod32ra.exe pavfnsvr.exe rtvscan.exe savscan.exe zclient.exe

As you can see, an entry exists for avz.exe in the Trojan database, which leads to the blocking of it’s launch. To protect against this is simple- The process is identified by name, so to get around this and allow the file to execute, it is enough to rename the file, giving it a random name, such as 123.exe. For the deletion of the Trojan driver, it is possible to execute a script similar to the one below in AVZ:

begin
DeleteService(‘UNPR’, true);
RebootWindows(true);
end. (:SAD)

It can’t install or start if you have CPF v3!!!

And thats the power of Prevention!!! We even rescue AVs from malware itself :slight_smile:

Melih

IC that is good to know because I am using Comodo firewall version 3 myself. Congratulations on a job well done.

Won’t have any chance against Comodo Firewall Pro 3 (R)
Anyways, I would never open a .exe file that’s 5 kB, so I don’t have to worry about it :wink:

Cheers,
Ragwing

A more advanced technique is to open the process but patch the first bit of code so that it returns with the code of 0 (Which means success) to the operating system So the process is running, but does absolutely nothing.

Windows security monitor cannot tell that the anti virus program has been patched, it thinks the anti virus program is running (Which it is).

Another method is to use Sandbox to capture & imprison it.
Sandbox is usage of a virtual container in which untrusted programs can be safely run.

Tch not worried. Besides the nod32 process isnt listed on their, and my ZA pro wud b like WTF mate allow or deny? id b like DENIED sucka :slight_smile: