1. Symantec/
  2. Security Response/
  3. Virus-Kill


February 13, 2007 11:51:54 AM
Misleading Application
Risk Impact:
Systems Affected:

When Virus-Kill is executed, it performs the following actions:
  1. Creates the following files:
    • %ProgramFiles%\Virus-kill\VrkillDmn.exe
    • %ProgramFiles%\Virus-kill\VrkillUpdate.exe
    • %ProgramFiles%\Virus-kill\Vrkill.dll
    • %ProgramFiles%\Virus-kill\VrkillD.dat
    • %ProgramFiles%\Virus-kill\VrkillP.dat
    • %ProgramFiles%\Virus-kill\VrkillPop.exe
    • %ProgramFiles%\Virus-kill\VrkillStart.exe
    • %UserProfile%\Start Menu\Programs\Startup\[RANDOM]\[Random].lnk

    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is %ProgramFiles%.

  2. Adds the value:

    "VRKill" = "%ProgramFiles%\Virus-kill\VrkillDmn.exe"

    to the registry subkey:


    so that it runs every time Windows starts.

  3. Adds the values:

    "code1" = "[RANDOM]"
    "code2" = "[RANDOM]"
    "controllerVersion" = "[RANDOM]"
    "updaterVersion" = "[RANDOM]"
    "updateurl" = "[RANDOM]"
    "Version" = "[RANDOM]"

    to the registry subkey:


    where [RANDOM] is data information filled in from querying pages on virus.kill.co.kr and update.virus.kill.co.kr.

  4. Adds the values:

    "DisplayName" = "[RANDOM]"
    "DisplayVersion" = "[RANDOM]"
    "HelpLink" = "[RANDOM]"
    "Publisher" = "[RANDOM]"
    "UninstallString" = "[RANDOM]"

    to the registry subkey:


  5. Displays pop-up windows reporting that threats are detected and asks for money to fix them.

  6. Runs a daemon on startup, VrkillUpdate.exe, that continuously downloads and overwrites VrkillDmn.exe. This keeps a write file pointer open to the file and makes it difficult to delete the file manually.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube