TROJ_KILLAV.KAX

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

TROJ_KILLAV.KAX Behavior Diagram

Malware Overview

This Trojan may be downloaded from remote sites by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, it drops copies of itself. It creates registry entries to enable its automatic execution at every system startup. It modifies registry entries to hide files with both System and Read-only attributes. It creates registry key(s)/entry(ies) as part of its installation routine.

It connects to a Web site to download a text file. The said text file contains a link to a malicious Web site that downloads and executes a file that Trend Micro detects as TROJ_DLOADER.VKH. As a result, malicious routines of the downloaded files are exhibited on the affected system. It also creates mutex(es) to ensure that only one instance of itself is running in memory.

For additional information about this threat, see:

Description created: Jan. 14, 2009 5:12:39 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 39,357 bytes

Initial samples received on: Jan 14, 2009

Related toTROJ_DLOADER.VKH

Payload 1: Downloads files

Payload 2: Connects to a URL

Details:

Arrival Details

This Trojan may be downloaded from remote site(s) by other malware. It may be downloaded unknowingly by a user when visiting malicious Web site(s).

Installation

This Trojan drops the following copy(ies) of itself:

  • %System%\keepsafe.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )

Autostart Techniques

This Trojan creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run
dsfghjgj = "%Windows%\system32\keepSafe.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
vcbbjf = "%Windows%\system32\keepSafe.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnceEx
xcfdhtyjkx = "%Windows%\system32\keepSafe.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
hfdtubvnx = "%Windows%\system32\keepSafe.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\run
TXMouie = "%windows%\system32\keepSafe.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run
ilortgdg = "%Windows%\system32\keepSafe.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
cvhnykzx = "%Windows%\system32\keepSafe.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnceEx
deryheruxc = "%Windows%\system32\keepSafe.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
hgkytwe = "%Windows%\system32\keepSafe.exe"

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Other System Modifications

This Trojan modifies the following registry entry(ies) to hide files with both System and Read-only attributes:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced
Hidden = "2"

(Note: The default value data for the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = "0"

(Note: The default value data for the said registry entry is 1.)

It creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
ExecAccess = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
LeakAccess = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
MonAccess = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
SiteAccess = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
UDiskAccess = "0"

It creates multiple registry keys that inject this Trojan to several applications when executed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\{Application Executable File}
Debugger = "%Windows%\system32\keepSafe.exe"

The following are the Application Executable Files:

  • ~.exe
  • 360rpt.exe
  • 360Safe.exe
  • 360tray.exe
  • adam.exe
  • adffg7h785v.exe
  • AgentSvr.exe
  • AoYun.exe
  • appdllman.exe
  • AppSvc32.exe
  • auto.exe
  • AutoRun.exe
  • autoruns.exe
  • avgrssvc.exe
  • AvMonitor.exe
  • avp.com
  • avp.exe
  • CCenter.exe
  • ccSvcHst.exe
  • cross.exe
  • Discovery.exe
  • FileDsty.exe
  • FTCleanerShell.exe
  • guangd.exe
  • HijackThis.exe
  • IceSword.exe
  • iparmo.exe
  • Iparmor.exe
  • isPwdSvc.exe
  • kabaload.exe
  • KaScrScn.SCR
  • KASMain.exe
  • KASTask.exe
  • KAV32.exe
  • KAVDX.exe
  • KAVPFW.exe
  • KAVSetup.exe
  • KAVStart.exe
  • kernelwind32.exe
  • KISLnchr.exe
  • KMailMon.exe
  • KMFilter.exe
  • KPFW32.exe
  • KPFW32X.exe
  • KPFWSvc.exe
  • KRegEx.exe
  • KRepair.COM
  • KsLoader.exe
  • KVCenter.kxp
  • KvDetect.exe
  • KvfwMcl.exe
  • KVMonXP.kxp
  • KVMonXP_1.kxp
  • kvol.exe
  • kvolself.exe
  • KvReport.kxp
  • KVSrvXP.exe
  • KVStub.kxp
  • kvupload.exe
  • kvwsc.exe
  • KvXP.kxp
  • KWatch.exe
  • KWatch9x.exe
  • KWatchX.exe
  • loaddll.exe
  • logogo.exe
  • MagicSet.exe
  • mcconsol.exe
  • mmqczj.exe
  • mmsk.exe
  • NAVSetup.exe
  • niu.exe
  • nod32krn.exe
  • nod32kui.exe
  • pagefile.exe
  • pagefile.pif
  • PFW.exe
  • PFWLiveUpdate.exe
  • QHSET.exe
  • Ras.exe
  • Rav.exe
  • RavMon.exe
  • RavMonD.exe
  • RavStub.exe
  • RavTask.exe
  • RegClean.exe
  • regedit.Exe
  • regedit32.Exe
  • rfwcfg.exe
  • RfwMain.exe
  • rfwProxy.exe
  • rfwsrv.exe
  • RsAgent.exe
  • Rsaupd.exe
  • runiep.exe
  • safelive.exe
  • scan32.exe
  • SDGames.exe
  • servet.exe
  • shcfg32.exe
  • SmartUp.exe
  • sos.exe
  • SREng.exe
  • symlcsvc.exe
  • SysSafe.exe
  • taskmgr.exe
  • TNT.Exe
  • TrojanDetector.exe
  • Trojanwall.exe
  • TrojDie.kxp
  • TxoMoU.Exe
  • UFO.exe
  • UIHost.exe
  • UmxAgent.exe
  • UmxAttachment.exe
  • UmxCfg.exe
  • UmxFwHlp.exe
  • UmxPol.exe
  • UpLive.EXE
  • WoptiClean.exe
  • Wsyscheck.exe
  • XP.exe
  • zxsweep.exe

Other Details

This Trojan connects to the following Web site(s):

  • http://{BLOCKED}i.sosvpe.com/setup.txt

The said text file contains the following malicious Web site that this Trojan accesses:

  • http://{BLOCKED}n.sosvpe.com/upsetup.exe - detected by Trend Micro as TROJ_DLOADER.VKH

It then executes the downloaded file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

It creates the following mutex(es) to ensure that only one instance of itself is running in memory:

  • Av Love Av Av Av Av Av

Affected Platforms

This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


Analysis By: Karl Dominguez

Revision History:

First pattern file version: 5.772.08
First pattern file release date: Jan 15, 2009

SOLUTION


Minimum scan engine version needed: 8.700

Pattern file needed: 5.773.00

Pattern release date: Jan 15, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Process

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    keepSafe.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>
    Run
  3. In the right panel, locate and delete the entry:
    • dsfghjgj = "%Windows%\system32\keepSafe.exe"
    (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>
    RunOnce
  5. In the right panel, locate and delete the entry:
    • vcbbjf = "%Windows%\system32\keepSafe.exe"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>
    RunOnceEx
  7. In the right panel, locate and delete the entry:
    • xcfdhtyjkx = "%Windows%\system32\keepSafe.exe"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>
    RunServices
  9. In the right panel, locate and delete the entry:
    • hfdtubvnx = "%Windows%\system32\keepSafe.exe"
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    policies>Explorer>run
  11. In the right panel, locate and delete the entry:
    • TXMouie = "%Windows%\system32\keepSafe.exe"
  12. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    Run
  13. In the right panel, locate and delete the entry:
    • ilortgdg = "%Windows%\system32\keepSafe.exe"
  14. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    RunOnce
  15. In the right panel, locate and delete the entry:
    • cvhnykzx = "%Windows%\system32\keepSafe.exe"
  16. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    RunOnceEx
  17. In the right panel, locate and delete the entry:
    • deryheruxc = "%Windows%\system32\keepSafe.exe"
  18. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    RunServices
  19. In the right panel, locate and delete the entry:
    • hgkytwe = "%Windows%\system32\keepSafe.exe"

Restoring Registry Entries

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options
  2. Still in the left panel, locate the key:
    360rpt.exe
  3. Check if the following entry and value data exists under the said key:
    Debugger = "%Windows%\system32\keepSafe.exe
  4. If the entry exists, delete the said entry. Repeat steps 3-4 for the following keys:
    ~.exe
    360rpt.exe
    360Safe.exe
    360tray.exe
    adam.exe
    adffg7h785v.exe
    AgentSvr.exe
    AoYun.exe
    appdllman.exe
    AppSvc32.exe
    auto.exe
    AutoRun.exe
    autoruns.exe
    avgrssvc.exe
    AvMonitor.exe
    avp.com
    avp.exe
    CCenter.exe
    ccSvcHst.exe
    cross.exe
    Discovery.exe
    FileDsty.exe
    FTCleanerShell.exe
    guangd.exe
    HijackThis.exe
    IceSword.exe
    iparmo.exe
    Iparmor.exe
    isPwdSvc.exe
    kabaload.exe
    KaScrScn.SCR
    KASMain.exe
    KASTask.exe
    KAV32.exe
    KAVDX.exe
    KAVPFW.exe
    KAVSetup.exe
    KAVStart.exe
    kernelwind32.exe
    KISLnchr.exe
    KMailMon.exe
    KMFilter.exe
    KPFW32.exe
    KPFW32X.exe
    KPFWSvc.exe
    KRegEx.exe
    KRepair.COM
    KsLoader.exe
    KVCenter.kxp
    KvDetect.exe
    KvfwMcl.exe
    KVMonXP.kxp
    KVMonXP_1.kxp
    kvol.exe
    kvolself.exe
    KvReport.kxp
    KVSrvXP.exe
    KVStub.kxp
    kvupload.exe
    kvwsc.exe
    KvXP.kxp
    KWatch.exe
    KWatch9x.exe
    KWatchX.exe
    loaddll.exe
    logogo.exe
    MagicSet.exe
    mcconsol.exe
    mmqczj.exe
    mmsk.exe
    NAVSetup.exe
    niu.exe
    nod32krn.exe
    nod32kui.exe
    pagefile.exe
    pagefile.pif
    PFW.exe
    PFWLiveUpdate.exe
    QHSET.exe
    Ras.exe
    Rav.exe
    RavMon.exe
    RavMonD.exe
    RavStub.exe
    RavTask.exe
    RegClean.exe
    regedit.Exe
    regedit32.Exe
    rfwcfg.exe
    RfwMain.exe
    rfwProxy.exe
    rfwsrv.exe
    RsAgent.exe
    Rsaupd.exe
    runiep.exe
    safelive.exe
    scan32.exe
    SDGames.exe
    servet.exe
    shcfg32.exe
    SmartUp.exe
    sos.exe
    SREng.exe
    symlcsvc.exe
    SysSafe.exe
    taskmgr.exe
    TNT.Exe
    TrojanDetector.exe
    Trojanwall.exe
    TrojDie.kxp
    TxoMoU.Exe
    UFO.exe
    UIHost.exe
    UmxAgent.exe
    UmxAttachment.exe
    UmxCfg.exe
    UmxFwHlp.exe
    UmxPol.exe
    UpLive.EXE
    WoptiClean.exe
    Wsyscheck.exe
    XP.exe
    zxsweep.exe

Removing Other Malware Key from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE
  2. Still in the left panel, locate and delete the key:
    360Safe
  3. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_KILLAV.KAX and TROJ_DLOADER.VKH. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.