© 2008 Websense, Inc. All Rights Reserved.
Blog
09.28.2007 - 4:33 PM
Archive
+ August 2007
+ July 2007
+ June 2007
+ May 2007
+ April 2007
Bookmark This Post:
Post a Comment:
Previous Posts
September 2007| 09/28/2007 | AV Killer Analysis Report » |
| 09/26/2007 | Storm Worm Chronology » |
| 09/24/2007 | K.I.S.S. Principle » |
| 09/21/2007 | Tapping into the Opera JavaScript Interpreter » |
| 09/19/2007 | The Malware That Keeps On Giving » |
| 09/13/2007 | Phast Phlux Phishing » |
| 09/05/2007 | Tapping into the IE 7 JavaScript Interpreter » |
+ August 2007
+ July 2007
+ June 2007
+ May 2007
+ April 2007
AV Killer is currently the king of viruses in China. In the first half of this year, 3 Chinese anti-virus companies published this virus as their top-level virus alert.
Most virus writers have the same dream: to disable anti-virus software so the virus can run itself on a computer without any limitation. Therefore, many virus authors try many different methods to disable anti-virus software. AV Killer is this kind of virus, and uses the IFEO method.
What is IFEO?
IFEO stands for "image file execution options". This technology can redirect execution of a file. For example, if you want to run AA.exe, the computer can be made to run BB.exe instead of AA.exe. This is done because IFEO has an item in the Windows registry as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AA.exe that tells it to run BB.exe instead.
We have a sample of AV Killer, so we have reversed this sample, which let us see how it modifies our computer configuration.
This picture shows the "create_item" subroutine, which creates an item in the Windows registry. Let's look at how this is created. As you can see in the following picture, the virus created an item in the Windows registry as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe. In this case, avp.exe is a key in the Windows registry, and avp.exe is also the filename of Kaspersky's anti-virus software.
Set value for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe:
Now, if you want to run Kaspersky's anti-virus software, the computer runs the specified .exe file instead of avp.exe. Following is a picture of the result after the new key value has been set.
With this registry key set, you can't run this anti-virus software. AV Killer disables many AV software programs, such as McAfee, NOD32, Symantec Anti-Virus software and so on. AV killer can download other Trojans onto your windows system and let these viruses run as well.
By now, AV Killer has more than 500 variants and more than 100,000 computers have been infected, but almost entirely in China. AV Killer has another name in China: "king of viruses"