Trojan.Win32.KillAV.an

Technical Details

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 13,824 bytes in size. It is packed using UPX. The unpacked file is approximately 32KB in size. It is written in C++.

Installation

The Trojan also copies its executable file to the Windows system directory under the following names:

%System%\NavbwvLw32.Exe
%System%\Winscrl0n3.Scr
%System%\LwBWV60.dll

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%System%\NavbwvLw32.Exe"

Payload

When launching, the Trojan scans the system for widnows with the following names and terminates them:

Norton AntiVirus
VirusScan
eSafe Desktop Watch
eTrust EZ AntiVirus
Panda AntiVirus Titanium
PC-Cillin 2002
PC-Cillin 2003
F-Secure Anti-Virus
Sophos AntiVirus
ZoneAlarm
ZoneAlarm Pro
Tiny Personal Firewall
McAfee Firewall
Norton Personal FireWall

The Trojan then ceases running.


Removal Instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  2. Delete the following system registry key: (see What is a system registry and how do I use it for details on how to edit the registry).
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "%System%\NavbwvLw32.Exe"
  3. Delete the following files:
    %System%\NavbwvLw32.Exe
    %System%\Winscrl0n3.Scr
    %System%\LwBWV60.dll
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).