Threat behavior
Trojan:Win32/Killav.KV is a trojan that terminates security processes, replaces the Windows beep driver with its own code, and installs other malware.
Installation
Trojan:Win32/Killav.KV may be dropped or installed by other malware. It also creates the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "krnlsrvc"
To data: "mebuacenter"
Payload
Drops other malware
%TEMP%\<random>_res.tmp - for example, "129218_res.tmp"
The trojan copies the file to the Windows system folder as a randomly named file such as "R*m*t*C.dll" where "*" is a random letter. The registry is modified to run the trojan at next Windows start as in the following example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MebuaCent
Sets value: "ServiceDll"
To data: "<system folder>\remdtec.dll"
Terminates process
The trojan attempts to terminate the Rising antivirus security process named "RsTray.exe".
Replaces beep driver
Trojan:Win32/Killav.KV attempts to replace the original Windows beep driver file "beep.sys" with its own embedded driver. The trojan restarts the beep service to start the replaced driver. The fake driver is then used to restore System Service Descriptor Table (SSDT) hooks.
Analysis by Jingli Li
Prevention