Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/KillFiles.NCI is a trojan which deletes files with specific file extensions. The trojan tries to download and execute several files from the Internet.
Installation
When executed, the trojan creates the following files:
  • %system%\netlmgr.dll (86016 B)
The file is then executed.
Payload information
The trojan searches local drives for files with the following file extensions:
  • .doc
  • .hwp
  • .ppt
  • .xls
The trojan compresses each found file into a password protected archive. The password is randomly generated.

The file name and extension of the newly created file is derived from the original one. An additional ".gz" extension is appended.

The trojan then deletes the original files.
Information stealing
The trojan searches local drives for files with the following file extensions:
  • .lnk
  • .url
Only folders which contain one of the following string in their path are searched:
  • Documents and Settings
  • FOUND.0
  • I386
  • MSOCache
  • Program Files
more...
The collected information is stored in the following file:
  • %temp%\~DBF%variable%.tmp
A string with variable content is used instead of %variable% .

The trojan can send the information to a remote machine.
Other information
The trojan contains a list of URLs. It tries to download several files from the addresses. The HTTP protocol is used.

These are stored in the following locations:
  • %temp\~ZSB%variable%.tmp
A string with variable content is used instead of %variable% .

The trojan creates copies of the following files (source, destination):
  • %temp\~ZSB%variable%.tmp, msiexec%number%.exe
A string with variable content is used instead of %number% .

The files are then executed.

The trojan creates the following files:
  • ~SDSTY.bat