F-Secure
Tools
KillWin.AR
Summary
KillWin.AR, a variant of KillWin, is a Trojan. KillWin.AR disables certain features of the Operating System and copies itself to the startup folder. KillWin.AR outputs a message.Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Once KillWin.AR has been executed, it will delete the first four boot entries on the system.
Here is an example of the boot entries:
KillWinn.AR also deletes the following system file:
This file is required in order to succesfully boot the operating system.
After which, it will drop the executed copy of itself in the startup folder.
As part of its payload it will show the following file message:
As a finale to its malicious act, it will shutdown the computer and sets its shutdown timeout to 1 second:
KillWinn.AR is able to do these things with the help of a batch file, which is created in the following path:
The file attribute is set to hidden.
Here is an example of the boot entries:
KillWinn.AR also deletes the following system file:
- %sysdir\Hal.dll
This file is required in order to succesfully boot the operating system.
After which, it will drop the executed copy of itself in the startup folder.
As part of its payload it will show the following file message:
As a finale to its malicious act, it will shutdown the computer and sets its shutdown timeout to 1 second:
KillWinn.AR is able to do these things with the help of a batch file, which is created in the following path:
- %temp%\bt[4 random numbers].bat
The file attribute is set to hidden.