A trojan program that carries out destructive actions on the user’s computer. It is a Windows dynamic-link library (PE-DLL file). 9728 bytes. Written in C++.
The malicious library exports the “testall” function which leads to the following actions being carried out.
If the system launches the “avp.exe” process, the trojan tries to download the following modules from the address space for this process:
The trojan then cancels the automatic launch of the “avp” service, running the command:
sc config avp start= disabled
Then, using the “taskkill.exe” utility, the “avp.exe” process is completed:
taskkill.exe /f /t /im avp.exe
The trojan then runs a search of the system and carries out the following processes:
If it finds the following processes:
the trojan stops and deletes the service:
If it finds the process “ekrn.exe”, it deletes the “ekrn” service by running the command:
cmd /c sc delete ekrn
If it finds the “avp.exe” process, it runs the command:
cmd /c sc config avp start= disabled
taskkill.exe /im avp.exe /f
It therefore cancels the automatic launch of the “avp” service and completes the process “avp.exe”. The trojan then shuts down.
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).