Fandom

Malware Wiki

KillAV.br

1,335pages on
this wiki
Add New Page
Comments0 Share

Trojan.Win32.KillAV.br or KillAV.br is a Windows trojan which attempts to terminate known AntiVirus programs on the victim machine.

Behaviour

Once the trojan is executed, it will generate a 6656 byte executable in the Windows directory entitled "mserv.exe" [similar to other variants]

It will also drop the following keys into the [HKLM\System\CurrentControlSet001\Enum\Root\LEGACY_ANEM] section of the registry:

Service="anem"
Legacy="dword:00000001"
Class="LegacyDriver"
DeviceDesc="mserv.exe"

Payload

The trojan's main payload is to terminate these processes.

_AVP32.EXE

_AVPCC.EXE

_AVPM.EXE

AckWin32.exe

ACKWIN32.EXE

ALERTSVC.EXE

ALOGSERV.EXE

Anti-Trojan.exe

ANTS.EXE

ATCON.EXE

ATCON.EXE

ATUPDATER.EXE

ATWATCH.EXE

AutoDown.exe

AutoTrace.exe

AUTOUPDATE.EXE

AVCONSOL.EXE

AVGCC32.EXE

AVGCTRL.EXE

AVGSERV.EXE

AvkServ.exe

AVKSERV.EXE

AVP.EXE

AVP32.EXE

AVPCC.EXE

AVPM.EXE

AVSYNMGR.EXE

AVXMONITOR9X.EXE

AVXMONITOR9X.EXE

AVXMONITORNT.EXE

AVXQUAR.EXE

blackd.exe

blackice.exe

Claw95.exe

Claw95cf.exe

cleaner.exe

cleaner3.exe

cpd.exe

DEFWATCH.EXE

DOORS.EXE

F-AGNT95.EXE

FAST.EXE

F-PROT95.EXE

FRW.EXE

FRW.EXE

GUARD.EXE

GUARD.EXE

iamapp.exe

IAMAPP.EXE

iamserv.exe

IAMSERV.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICLOADNT.EXE

ICMON.EXE

ICSUPP95.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

ICSUPPNT.EXE

IFACE.EXE

IFACE.EXE

IOMON98.EXE

ISRV95.EXE

JEDI.EXE

LOCKDOWN2000.EXE

LUCOMSERVER.EXE

MCAGENT.EXE

MCAGENT.EXE

Mcshield.exe

MCUPDATE.EXE

MCUPDATE.EXE

MINILOG.EXE

MONITOR.EXE

MOOLIVE.EXE

NAVAPW32.EXE

NAVAPW32.EXE

NAVAPW32.EXE

NavLu32.exe

NAVW32.EXE

Navw32.exe

NDD32.EXE

NeoWatchLog.exe

NeoWatchTray.exe

NISSERV

NISUM.EXE

NMAIN.EXE

NORMIST.EXE

notstart.exe

NPROTECT.EXE

NSCHED32.EXE

NTXconfig.exe

Nupgrade.exe

NVC95.EXE

NWService.exe

outpost.exe

PCCIOMON.EXE

PERSFW.EXE

POP3TRAP.EXE

POPROXY.EXE

REALMON95.EXE

Rescue.exe

RTVSCN95.EXE

Smc.exe

SPHINX.EXE

SPYXX.EXE

SPYXX.EXE

SS3EDIT.EXE

SS3EDIT.EXE

SWNETSUP.EXE

SymProxySvc.exe

SYNMGR.EXE

TAUMON.EXE

TC.EXE

tca.exe

TCA.EXE

TCM.EXE

TDS-3.EXE

TFAK.EXE

TFAK.EXE

TRJSCAN.EXE

VetTray.exe

VPTRAY.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSHWIN32.EXE

VSMON.EXE

VSSTAT.EXE

VSSTAT.EXE

WATCHDOG.EXE

WebScanX.exe

WEBSCANX.EXE

WEBTRAP.EXE

WGFE95.EXE

WRADMIN.EXE

WrAdmin.exe

WRCTRL.EXE

WrCtrl.exe

WrCtrl.exe

ZATUTOR.EXE

ZAUINST.EXE

ZONEALARM.EXE

Sources

SecureList, (Kaspersky Labs): KillAV.br

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.