Trojan uses Rootkit remover tool to disable Anti-virus

December 1, 2011

The Sonicwall UTM research team received reports of a new KillAV Trojan in the wild. This Trojan uses a rootkit remover tool called The Avenger. According to the home page of this tool "The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware". Ironically, the Trojan uses this anti malware tool to remove files belonging to a variety of well known anti-virus software from vendors such as AVG, Kaspersky and Symantec. Most anti-virus software protects its files from user-mode removal. However, it is very hard to protect such files from kernel-mode attacks.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:DRIVERS10KDESCK.exe [Avenger executable]
  • C:DRIVERS10TDESCK.txt [Avenger file instructions]
  • C:WINDOWSsystem32eihs.txt [Avenger file instructions]
  • C:DRIVERS10WINNTK.exe [Detected as GAV: KillFiles.NEK (Trojan)]
  • C:cleanup.exe [Detected as GAV: Zapchast.M (Trojan)]
  • C:cleanup.bat [Cleanup instructions]
  • C:zip.exe [Zip utility]
  • C:WINDOWSsystem32driverstsfqiza.sys [Avenger kernel-mode driver]

TDESCK.txt contains the following information:

      Folders to delete:
      %ProgramFiles%AVG
      %ProgramFiles%Panda Security
      %ProgramFiles%ESET
      %ProgramFiles%KASPER~1
      %ProgramFiles%Avira
      %ProgramFiles%Softwin
      %ProgramFiles%Grisoft
      %ProgramFiles%NORTON~1
      %ProgramFiles%Microsoft Security Client
      Files to move:
      %ProgramFiles%Alwil SoftwareAvast5AvastUI.exe|%ProgramFiles%Alwil SoftwareAvast5AvastUI.exa
      %ProgramFiles%Alwil SoftwareAvast5AvastSvc.exe|%ProgramFiles%Alwil SoftwareAvast5AvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastSvc.exe|%ProgramFiles%AVAST SoftwareAvastAvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastUI.exe|%ProgramFiles%AVAST SoftwareAvastAvastUI.exa

The above information instructs the Avenger software to remove or move files and directories belonging to various anti-virus software.

Upon infection, the following command is run to remove the anti-virus files listed above in TDESCK.txt. This command runs Avenger invisibly without its GUI:

      cmd /c C:DRIVERS10KDESCK.exe /nogui C:DRIVERS10TDESCK.txt

cleanup.bat contains the following information:

      @ECHO OFF
      cd %systemdrive%
      if exist %systemdrive%avengerbackup.zip move /y %systemdrive%avengerbackup.zip "%systemdrive%avengerbackup-%date:/=.%-%time::=.%.zip"
      move /y backup.reg %systemdrive%avenger
      copy /y avenger.txt %systemdrive%avenger
      for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:avenger attrib -r -h -s %%a:avenger* /S /D & zip -r -S -q -m -! -P infected "%systemdrive%avengerbackup.zip" %%a:avenger* -x %systemdrive%avengerbackup*.zip & rmdir %%a:avenger
      del zip.exe
      del cleanup.exe
      del cleanup.bat

The Trojan adds the following keys to the Windows registry to install the Avenger kernel-mode driver and run WINNTK.exe and cleanup.exe after reboot:

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Microsoft Windows Debug "C:DRIVERS10WINNTK.exe"
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Cleanup "C:cleanup.exe"
  • HKEY_LOCAL_MACHINESystemCurrentControlSetServicesmmjnbxj ImagePath "C:WINDOWSsystem32driverstsfqiza.sys"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmmjnbxj cvva "C:WINDOWSsystem32eihs.txt"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: KillFiles.NEK (Trojan)
  • GAV: Zapchast.M (Trojan)