Win32/AntiAV [Threat Name] go to Threat

Win32/AntiAV.NBD [Threat Variant Name]

Category trojan
Size 37888 B
Aliases Trojan-Downloader.Win32.Geral.agh (Kaspersky)
  Trojan.Dropper (Symantec)
  Generic.Dropper!db (McAfee)
Short description

The trojan tries to download and execute several files from the Internet. The trojan terminates various security related applications. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­scvhost.exe (37888 B)

The trojan creates the following files:

  • %windir%\­tete%random1%t.dll (44688 B)
  • %windir%\­extext%random2%t.exe (11264 B)
  • %system%\­drivers\­pcidump.sys (11904 B)
  • %system%\­drivers\­aec.sys (2048 B)
  • %system%\­drivers\­asyncmac.sys (2816 B)

The %random1-2% represents a random number.


Installs the following system drivers:

  • %system%\­drivers\­pcidump.sys
  • %system%\­drivers\­aec.sys
  • %system%\­drivers\­asyncmac.sys

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RsTray" = "%system%\­scvhost.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360Safebox.exe]
    • "360Safebox.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360tray.exe]
    • "360tray.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AgentSvr.exe]
    • "AgentSvr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­antiarp.exe]
    • "antiarp.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "avp.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­bdagent.exe]
    • "bdagent.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccapp.exe]
    • "ccapp.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CCenter.exe]
    • "CCenter.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccEvtMgr.exe]
    • "ccEvtMgr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSetMgr.exe]
    • "ccSetMgr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSvcHst.exe]
    • "ccSvcHst.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­defwatch.exe]
    • "defwatch.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­DrUpdate.exe]
    • "DrUpdate.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­egui.exe]
    • "egui.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ekrn.exe]
    • "ekrn.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­engineserver.exe]
    • "engineserver.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FrameworkService.exe]
    • "FrameworkService.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KavStart.exe]
    • "KavStart.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KISSvc.exe]
    • "KISSvc.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kmailmon.exe]
    • "kmailmon.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KPFW32.exe]
    • "KPFW32.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KPfwSvc.exe]
    • "KPfwSvc.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVSrvXP.exe]
    • "KVSrvXP.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KWatch.exe]
    • "KWatch.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­livesrv.exe]
    • "livesrv.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­LiveUpdate360.exe]
    • "LiveUpdate360.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcagent.exe]
    • "mcagent.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcinsupd.exe]
    • "mcinsupd.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcmscsvc.exe]
    • "mcmscsvc.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcnasvc.exe]
    • "mcnasvc.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McProxy.exe]
    • "McProxy.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcshell.exe]
    • "mcshell.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcshield.exe]
    • "mcshield.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcsysmon.exe]
    • "mcsysmon.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McTray.exe]
    • "McTray.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcupdmgr.exe]
    • "mcupdmgr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mfeann.exe]
    • "mfeann.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mfevtps.exe]
    • "mfevtps.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MpfSrv.exe]
    • "MpfSrv.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPMon.exe]
    • "MPMon.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC.exe]
    • "MPSVC.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC1.exe]
    • "MPSVC1.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC2.exe]
    • "MPSVC2.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­naPrdMgr.exe]
    • "naPrdMgr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­QQDoctor.exe]
    • "QQDoctor.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­QQDoctorRtp.exe]
    • "QQDoctorRtp.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Rav.exe]
    • "Rav.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMon.exe]
    • "RavMon.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "RavMonD.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavStub.exe]
    • "RavStub.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavTask.exe]
    • "RavTask.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RegGuide.exe]
    • "RegGuide.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rfwsrv.exe]
    • "rfwsrv.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsAgent.exe]
    • "RsAgent.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rsnetsvr.exe]
    • "rsnetsvr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rssafety.exe]
    • "rssafety.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsTray.exe]
    • "RsTray.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rtvscan.exe]
    • "rtvscan.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safeboxTray.exe]
    • "safeboxTray.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ScanFrm.exe]
    • "ScanFrm.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SHSTAT.exe]
    • "SHSTAT.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­udaterui.exe]
    • "udaterui.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Uplive.exe]
    • "Uplive.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vptray.exe]
    • "vptray.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vsserv.exe]
    • "vsserv.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vstskmgr.exe]
    • "vstskmgr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­xcommsvr.exe]
    • "xcommsvr.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_AEC\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "aec"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_AEC\­0000]
    • "Service" = "aec"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "RCT"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_AEC]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_ASYNCMAC\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "AsyncMac"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_ASYNCMAC\­0000]
    • "Service" = "AsyncMac"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "RAS Asynchronous Media Driver"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_ASYNCMAC]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_PCIDUMP\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "pcidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_PCIDUMP\­0000]
    • "Service" = "pcidump"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "pcidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_PCIDUMP]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aec\­Enum]
    • "0" = "Root\­LEGACY_AEC\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aec\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aec]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 0
    • "ImagePath" = "%system%\­drivers\­aec.sys"
    • "DisplayName" = "RCT"
Information stealing

The trojan collects the following information:

  • network adapter information
  • malware version
  • operating system version

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan terminates processes with any of the following strings in the name:

  • .norton2009Reset
  • avp
  • LIVESRV
  • McAfeeEngineService
  • McAfeeFramework
  • McShield
  • McTaskManager
  • mfevtp
  • MPSVCService
  • Norton AntiVirus
  • RavCCenter
  • RavTask
  • RavTray
  • RfwCCenter
  • RfwService
  • RfwTask
  • RsRavMon
  • RsScanSrv
  • scan
  • VSSERV
  • XCOMM

The trojan launches the following processes:

  • cmd /c net stop wscsvc
  • cmd /c net stop SharedAccess
  • cmd /c sc config sharedaccess start= disabled
  • cmd /c cacls %system% /e /p everyone:f
  • cmd /c cacls %temp% /e /p everyone:f
  • cmd /c sc config KwatchSvc start= disabled
  • cmd /c sc config kaccore start= disabled
  • cmd /c sc config KISSvc start= disabled
  • cmd.exe /c taskkill.exe /im KwatchSvc.exe /f
  • cmd.exe /c taskkill.exe /im KwatchSvc.exe /f
  • cmd /c sc config ekrn start= disabled
  • cmd.exe /c taskkill.exe /im ekrn.exe /f
  • cmd.exe /c taskkill.exe /im egui.exe /f
  • cmd.exe /c taskkill.exe /im avp.exe /f
  • taskkill /f /t /im avp.exe
  • sc config avp start= disabled
  • %system%\­rundll32.exe %windir%\­tete%random1%t.dll, testall

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. It tries to download several files from the addresses.


These are stored in the following locations:

  • %filepath%

A string with variable content is used instead of %filepath% .


The files are then executed.


The trojan may create the following files:

  • %system%\­drivers\­12youxllsdfierjiernmnsdf.txt
  • %temp%\­afc90a.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.