Win32/AntiAV.NBD | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Short description

The trojan tries to download and execute several files from the Internet. The trojan terminates various security related applications. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

%system%\scvhost.exe (37888 B)

The trojan creates the following files:

%windir%\tete%random1%t.dll (44688 B)
%windir%\extext%random2%t.exe (11264 B)
%system%\drivers\pcidump.sys (11904 B)
%system%\drivers\aec.sys (2048 B)
%system%\drivers\asyncmac.sys (2816 B)

The %random1-2% stands for a random number.

Installs the following system drivers:

%system%\drivers\pcidump.sys
%system%\drivers\aec.sys
%system%\drivers\asyncmac.sys

The following Registry entries are deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"RsTray" = "%system%\scvhost.exe"

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\360Safebox.exe]
"360Safebox.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\360tray.exe]
"360tray.exe" = "svchost.exe"

more...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\360Safebox.exe]
"360Safebox.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\360tray.exe]
"360tray.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\AgentSvr.exe]
"AgentSvr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\antiarp.exe]
"antiarp.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\avp.exe]
"avp.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\bdagent.exe]
"bdagent.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ccapp.exe]
"ccapp.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\CCenter.exe]
"CCenter.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ccEvtMgr.exe]
"ccEvtMgr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ccSetMgr.exe]
"ccSetMgr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ccSvcHst.exe]
"ccSvcHst.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\defwatch.exe]
"defwatch.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\DrUpdate.exe]
"DrUpdate.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\egui.exe]
"egui.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ekrn.exe]
"ekrn.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\engineserver.exe]
"engineserver.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\
FrameworkService.exe]
"FrameworkService.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\KavStart.exe]
"KavStart.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\KISSvc.exe]
"KISSvc.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\kmailmon.exe]
"kmailmon.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\KPFW32.exe]
"KPFW32.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\KPfwSvc.exe]
"KPfwSvc.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\KVSrvXP.exe]
"KVSrvXP.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\KWatch.exe]
"KWatch.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\livesrv.exe]
"livesrv.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\LiveUpdate360.exe]
"LiveUpdate360.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcagent.exe]
"mcagent.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcinsupd.exe]
"mcinsupd.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcmscsvc.exe]
"mcmscsvc.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcnasvc.exe]
"mcnasvc.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\McProxy.exe]
"McProxy.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcshell.exe]
"mcshell.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcshield.exe]
"mcshield.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcsysmon.exe]
"mcsysmon.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\McTray.exe]
"McTray.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mcupdmgr.exe]
"mcupdmgr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mfeann.exe]
"mfeann.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\mfevtps.exe]
"mfevtps.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\MpfSrv.exe]
"MpfSrv.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\MPMon.exe]
"MPMon.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\MPSVC.exe]
"MPSVC.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\MPSVC1.exe]
"MPSVC1.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\MPSVC2.exe]
"MPSVC2.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\naPrdMgr.exe]
"naPrdMgr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\QQDoctor.exe]
"QQDoctor.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\QQDoctorRtp.exe]
"QQDoctorRtp.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\Rav.exe]
"Rav.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RavMon.exe]
"RavMon.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RavMonD.exe]
"RavMonD.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RavStub.exe]
"RavStub.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RavTask.exe]
"RavTask.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RegGuide.exe]
"RegGuide.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\rfwsrv.exe]
"rfwsrv.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RsAgent.exe]
"RsAgent.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\rsnetsvr.exe]
"rsnetsvr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\rssafety.exe]
"rssafety.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\RsTray.exe]
"RsTray.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\rtvscan.exe]
"rtvscan.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\safeboxTray.exe]
"safeboxTray.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ScanFrm.exe]
"ScanFrm.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\SHSTAT.exe]
"SHSTAT.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\udaterui.exe]
"udaterui.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\Uplive.exe]
"Uplive.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\vptray.exe]
"vptray.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\vsserv.exe]
"vsserv.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\vstskmgr.exe]
"vstskmgr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\xcommsvr.exe]
"xcommsvr.exe" = "svchost.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_AEC\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "aec"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_AEC\0000]
"Service" = "aec"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "RCT"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_AEC]
"NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_ASYNCMAC\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "AsyncMac"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_ASYNCMAC\0000]
"Service" = "AsyncMac"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "RAS Asynchronous Media Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_ASYNCMAC]
"NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_PCIDUMP\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "pcidump"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_PCIDUMP\0000]
"Service" = "pcidump"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "pcidump"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_PCIDUMP]
"NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec\
Enum]
"0" = "Root\LEGACY_AEC\0000"
"Count" = 1
"NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec\
Security]
"Security" = %hex_value%
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]
"Type" = 1
"Start" = 3
"ErrorControl" = 0
"ImagePath" = "%system%\drivers\aec.sys"
"DisplayName" = "RCT"

less...

Information stealing

The trojan collects the following information:

network adapter information
malware version
operating system version

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan terminates processes with any of the following strings in the name:

.norton2009Reset
avp
LIVESRV
McAfeeEngineService
McAfeeFramework

more...

The trojan launches the following processes:

cmd /c net stop wscsvc
cmd /c net stop SharedAccess
cmd /c sc config sharedaccess start= disabled
cmd /c cacls %system% /e /p everyone:f
cmd /c cacls %temp% /e /p everyone:f

more...

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. It tries to download several files from the addresses.

These are stored in the following locations:

%filepath%

A string with variable content is used instead of %filepath% .

The files are then executed.

The trojan may create the following files:

%system%\drivers\12youxllsdfierjiernmnsdf.txt
%temp%\afc90a.bat