My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




Presence of the following files:

  • %WinDir%\system\pcii.sys
  • %WinDir%\Fonts\sysin.ini

The %TEMP% folder will contain three files with name beginning with abb (e.g. abb1.tmp).

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Andrea Takacs, virus researcher

Technical Description:

Win32.Worm.KillAV.PDO reduces the security level of the computer: it terminates the processes belonging to security tools like antivirus programs and firewalls, leaving the computer defenseless against other malware attacks. It will also delete the executables corresponding to security programs and ensures that they won't be able to run even after a reinstallation.
Win32.Worm.KillAV.PDO is a DLL and will perform its malicious actions only if it's loaded into explorer.exe or 360safe.exe.
Upon initialization it will create a driver in %WinDir%\sysmtem\pcii.sys and registers it as a service. The driver will create a device called \\.\WCCCI, which will be used for communication between the dll and the dropped driver.
The dll part of the malware will search for running antivirus processes and will send their path and process ID to the device created by the driver. If a process ID is received, the driver will try to unmap sections from ntdll.dll, which will cause antivirus programs to crash when trying to call functions from it. If a path to the executable of an antivirus is received, the executable will be deleted.
The following processes will be affected:
        360rpt.exe, 360SafeBox.exe, 360Safe.exe,
        360sd.exe, 360tray.exe, arpfw.exe,
        AutoRun.exe, AvMonitor.exe, Frameworkservice.exe,
        GuardField.exe, HijackThis.exe, IceSword.exe,
        kav32.exe, kavstart.exe, KRegEx.exe,
        krnl360svc.exe, KvSrvXp.exe, kvwsc.exe,
        kwatch.exe, mmsk.exe, Navapsvc.exe,
        Nod32kui.exe, RavMond.exe, Ravservice.exe,
        RavTask.exe, Ravtray.exe, Regedit.exe,
        rfwProxy.exe, rfwsrv.exe, RsAgent.exe
        RsMain.exe, safeboxTray.exe, ScanFrm.exe
        SuperKiller.exe, TrojDie.kxp,
        TrojanDetector.exe, Trojanwall.exe etc.
To ensure that security applications won't run even after a reinstallation it will search for security applications in the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key and will add a Debugger key with the value "ntsd -d" to each key corresponding to security applications. Since a normal user doesn't have a kernel mode debugger on his computer, those applications won't run.

At certain intervals it will check if the currently active window's class is equal to AfxControlBar42s and will send a WM_CLOSE message to that window.
This trojan is also a downloader. On a separate thread, it will download a file from http://[removed] into %WinDir%\Fonts\sysin.ini. This file contains the following encrypted urls:
From these urls it will download three files and will execute them. The files will be downloaded in the %TEMP% directory and their name will begin with "abb" followed by a random number. At the time of writing this, these urls were offline.