Показано с 1 по 2 из 2.

Trojan.Win32.KillAV.cn - KernelMode Trojan.

  1. #1
    External Specialist Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для MAPKOBKA^^
    Вес репутации

    Trojan.Win32.KillAV.cn - KernelMode Trojan.

    A small Trojan program, designed for fighting against Antivirus, Firewall and Anti-malware utilities. The size of the executable file is about 5KB. If it is run, it silently performs the following actions:

    1. Creates the driver C:\WINDOWS\system32\unpr.sys, file size 2.5KB (This file is stored in the body of the Trojan)

    2. Registers the driver through the standard API, under the name of UNPR, after which it shuts down the computer.

    The Trojan does not load the installed driver, which is why it's loading will commence only after rebooting the computer. The driver implements tracking of the loading [of processes] without intercepting functions, with the help of the documented notification mechanism on loading PE files into memory (LoadImageNotifyRoutine). After receiving notice about the launching of a process, the driver compares the name of the process being launched to its database of names, which are stored in the driver (there are two databases in the driver- database of EXE file names and database of driver names)
    If it finds a match, the driver opens the process and terminates it.

    The Trojan blocks/terminates processes with the following names:
    avp.exe avpm.exe avz.exe bdmcon.exe bdss.exe ccapp.exe ccevtmgr.exe cclaw.exe ccpxysvc.exe fsav32.exe fsbl.exe fsm32.exe gcasserv.exe iao.exe icmon.exe inetupd.exe issvc.exe kav.exe kavss.exe kavsvc.exe klswd.exe livesrv.exe mcshield.exe msssrv.exe nod32krn.exe nod32ra.exe pavfnsvr.exe rtvscan.exe savscan.exe zclient.exe

    As you can see, an entry exists for avz.exe in the Trojan database, which leads to the blocking of it's launch. To protect against this is simple- The process is identified by name, so to get around this and allow the file to execute, it is enough to rename the file, giving it a random name, such as 123.exe. For the deletion of the Trojan driver, it is possible to execute a script similar to the one below in AVZ:

    DeleteService('UNPR', true);

    <<Translation by MAPKOBKA^^ from original by Oleg Zaitsev located here: http://virusinfo.info/showthread.php?t=14734>>
    -Kaspersky Lab Certified Personal Security Professional
    -Kaspersky Lab Forum Moderator
    -Vinfo Virus FAQ Translator

  2. #2
    Full Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для Ultima Weapon
    Вес репутации
    Цитата Сообщение от MAPKOBKA^^ Посмотреть сообщение
    A small Trojan program, designed for fighting against Antivirus, Firewall and Anti-malware utilities. The size of the executable file is about 5KB. If it is run, it silently performs the following actions:

    1. Creates the driver C:\WINDOWS\system32\unpr.sys, file size 2.5KB (This file is stored in the body of the Trojan)

    2. Registers the driver through the standard API, under the name of UNPR, after which it shuts down the computer.

    The Trojan does not load the installed driver, which is why it's loading will commence only after rebooting the computer. The driver implements tracking of the loading [of processes] without intercepting functions, with the help of the documented notification mechanism on loading PE files into memory (LoadImageNotifyRoutine). After receiving notice about the launching of a process, the driver compares the name of the process being launched to its database of names, which are stored in the driver (there are two databases in the driver- database of EXE file names and database of driver names)
    If it finds a match, the driver opens the process and terminates it.

    The Trojan blocks/terminates processes with the following names:
    avp.exe avpm.exe avz.exe bdmcon.exe bdss.exe ccapp.exe ccevtmgr.exe cclaw.exe ccpxysvc.exe fsav32.exe fsbl.exe fsm32.exe gcasserv.exe iao.exe icmon.exe inetupd.exe issvc.exe kav.exe kavss.exe kavsvc.exe klswd.exe livesrv.exe mcshield.exe msssrv.exe nod32krn.exe nod32ra.exe pavfnsvr.exe rtvscan.exe savscan.exe zclient.exe

    As you can see, an entry exists for avz.exe in the Trojan database, which leads to the blocking of it's launch. To protect against this is simple- The process is identified by name, so to get around this and allow the file to execute, it is enough to rename the file, giving it a random name, such as 123.exe. For the deletion of the Trojan driver, it is possible to execute a script similar to the one below in AVZ:

    DeleteService('UNPR', true);

    <<Translation by MAPKOBKA^^ from original by Oleg Zaitsev located here: http://virusinfo.info/showthread.php?t=14734>>

    IC, So a Retro Trojan has now been created. I Thought only retro virus or Antivirus killer virus exist.
    Realtime: Kaspersky Internet Security & A-squared Anti-Mallware (default windows)On Demand Scanner: Avira Premium & Nod32 ,Panda& AVG antispyware & Bitdefender 2008(another windows) Firewall: Online Armor System Recovery: Returnil

Похожие темы

  1. Последствия Trojan.Win32.KillAV.ayh
    От Андрей Ильин в разделе Помогите!
    Ответов: 17
    Последнее сообщение: 25.02.2010, 12:04
  2. Trojan.Win32.Killav как убить
    От pomy в разделе Помогите!
    Ответов: 7
    Последнее сообщение: 22.02.2009, 06:33
  3. Trojan.Win32.KillAV.ne
    От Metky в разделе Помогите!
    Ответов: 5
    Последнее сообщение: 22.02.2009, 03:19
  4. Trojan.Win32.KillAV.cn - KernelMode троян
    От Зайцев Олег в разделе Описания вредоносных программ
    Ответов: 25
    Последнее сообщение: 04.12.2007, 07:56
  5. Trojan.Win32.KillAV.ee (файл icota32.dll)
    От Зайцев Олег в разделе Описания вредоносных программ
    Ответов: 0
    Последнее сообщение: 11.01.2005, 12:37

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
Page generated in 0.00837 seconds with 18 queries