1. /
  2. Security Response/
  3. Virus-Kill

Virus-Kill

Updated:
February 13, 2007 11:51:54 AM
Type:
Misleading Application
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Virus-Kill is executed, it performs the following actions:
  1. Creates the following files:
    • %ProgramFiles%\Virus-kill\VrkillDmn.exe
    • %ProgramFiles%\Virus-kill\VrkillUpdate.exe
    • %ProgramFiles%\Virus-kill\Vrkill.dll
    • %ProgramFiles%\Virus-kill\VrkillD.dat
    • %ProgramFiles%\Virus-kill\VrkillP.dat
    • %ProgramFiles%\Virus-kill\VrkillPop.exe
    • %ProgramFiles%\Virus-kill\VrkillStart.exe
    • %UserProfile%\Start Menu\Programs\Startup\[RANDOM]\[Random].lnk

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is %ProgramFiles%.

  2. Adds the value:

    "VRKill" = "%ProgramFiles%\Virus-kill\VrkillDmn.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  3. Adds the values:

    "code1" = "[RANDOM]"
    "code2" = "[RANDOM]"
    "controllerVersion" = "[RANDOM]"
    "updaterVersion" = "[RANDOM]"
    "updateurl" = "[RANDOM]"
    "Version" = "[RANDOM]"


    to the registry subkey:

    HKEY_CURRENT_USER\Software\Virus-kill

    where [RANDOM] is data information filled in from querying pages on virus.kill.co.kr and update.virus.kill.co.kr.

  4. Adds the values:

    "DisplayName" = "[RANDOM]"
    "DisplayVersion" = "[RANDOM]"
    "HelpLink" = "[RANDOM]"
    "Publisher" = "[RANDOM]"
    "UninstallString" = "[RANDOM]"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Virus-kill

  5. Displays pop-up windows reporting that threats are detected and asks for money to fix them.

  6. Runs a daemon on startup, VrkillUpdate.exe, that continuously downloads and overwrites VrkillDmn.exe. This keeps a write file pointer open to the file and makes it difficult to delete the file manually.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver