Name :	Trojan:W32/KillWin.AR
Detection Names :	Trojan.bat.killwin
Category:	Malware
Type:	Trojan
Platform:	W32
Date of Discovery:	November 09, 2005

A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Trojan:W32/KillWin.AR is a trojan that disables certain features of the Operating System and copies itself to the startup folder. KillWin.AR outputs a message.


Execution

Once KillWin.AR has been executed, it will delete the first four boot entries on the system.

Here is an example of the boot entries:




KillWinn.AR also deletes the following system file:


This file is required in order to succesfully boot the operating system.




After which, it will drop the executed copy of itself in the startup folder.

To execute its payload, the trojan creates a batch file, which is created in the following path:


The file attribute is set to hidden.


Payload

As part of its payload it will show the following file message:




As a finale to its malicious act, it will shutdown the computer and sets its shutdown timeout to 1 second: