Win32/KillFiles.NCH | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Short description

Win32/KillFiles.NCH is a trojan which deletes files with specific file extensions. The trojan overwrites the MBR (Master Boot Record) of all drives with its own data.

Installation

When executed, the trojan creates the following files:

%system%\wversion.exe (36864 B)

The file is then executed.

Payload information

The trojan overwrites the MBR (Master Boot Record) of all drives with its own data.

The written data contains the following string:

Memory of the Independence Day

The trojan searches local drives for files with the following file extensions:

.accdb
.alz
.asp
.aspx
.c

more...

The trojan compresses each found file into a password protected archive. The password is randomly generated.

The file name and extension of the newly created file is derived from the original one. An additional ".gz" extension is appended.

The trojan then deletes the original files.

Other information

The following file is modified:

%windir%\win.ini

The trojan writes the following entries to the file:

[MSSOFT]
LastName=%variable1%
FirstName=%variable2%
Location=%variable3%

A string with variable content is used instead of %variable1-3% .