Trojan.KillAV.B

Printer Friendly Page

Discovered: September 07, 2003
Updated: September 10, 2003 8:10:24 PM
Systems Affected: Windows

Trojan.KillAV.B is a trojan program that terminates the processes of antivirus and security software. It also disables access to the Registry Editor and Task Manager.

Discovered: September 07, 2003
Updated: September 10, 2003 8:10:24 PM
Systems Affected: Windows

Trojan.KillAV.B is a trojan that terminates the processes of Norton Antivirus Autoprotect and Norton Internet Security. When the trojan is executed, it creates the following copy of itself:
C:\Winnt\Java\Java\iexplore.exe

If the folder C:\Winnt\Java\Java does not exist, this file will not be created.

It then creates the following registry entry to disable the Task Manager:
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000001

The following registry entry is created to disable the Registry Editor:
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

In order to remain persistent on the system, the trojan created the following registry entry:
HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtimes = C:\Winnt\Java\Java\iexplore.exe

Finally, the following registry entries are modified:
HKey_Local_Machine\Software\Symantec\IAM\FirewallObjects\Applications\iexplore.exe\ApplicationAccess1 = 0x00000001

HKey_Local_Machine\Software\Symantec\IAM\FirewallObjects\Applications\iexplore.exe\ApplicationList1 = C:\Winnt\Java\Java\iexplore.exe