Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

KillRDLL.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

KillRDLL.A carries out the following actions:

  • Whenever the user accesses any directory, it creates a copy of itself with the icon of a Windows folder and hides the extension so that the user thinks it is a folder.
  • If the user accesses a subdirectory, it will also create a copy of itself disguised as a folder.
  • The folder Favorites of the image, is in fact a copy of the Trojan disguised as a Windows folder:

  • These are some of the names it uses to create copies of itself, among others:
    Angelina Jolie
    Clips
    Documents
    Favorites
    Flash Games
    Games
    My Documents
    My Folder
    Picture
    Video
    WallPapers
  • Additionally, when it is run, it opens the website of a search engine which falsifies the results:

Infection strategy 

KillRDLL.A creates a copy of itself with the name with which the file has been run in the Windows system directory.

Additionally, it creates the file RUNDLL32.EXE in the following directories:

  • in the folder dllcache of the Windows system directory.
  • in the folder LastGood\system32 of the Windows directory.

 

KillRDLL.A creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %name with which it has been run% = %sysdir%\%name with which it has been run%.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, KillRDLL.A ensures that it is run whenever Windows is started.

KillRDLL.A modifies the following entry from the Windows Registry, in order to hide itself and make its detection more difficult:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HideFileExt = 00, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HideFileExt = 01, 00, 00, 00
    By modifying this entry, it hides the extension of the files.

Means of transmission 

KillRDLL.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

KillRDLL.A is 97,280 bytes in size and is compressed with UPX.