Email this page Print this page Give us your feedback
Panda Security » Enterprises » Security Information » Encyclopedia: virus, worms, adware ...

Encyclopedia

KillRDLL.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

KillRDLL.A carries out the following actions:

  • Whenever the user accesses any directory, it creates a copy of itself with the icon of a Windows folder and hides the extension so that the user thinks it is a folder.
  • If the user accesses a subdirectory, it will also create a copy of itself disguised as a folder.
  • The folder Favorites of the image, is in fact a copy of the Trojan disguised as a Windows folder:

  • These are some of the names it uses to create copies of itself, among others:
    Angelina Jolie
    Clips
    Documents
    Favorites
    Flash Games
    Games
    My Documents
    My Folder
    Picture
    Video
    WallPapers
  • Additionally, when it is run, it opens the website of a search engine which falsifies the results:

Infection strategy 

KillRDLL.A creates a copy of itself with the name with which the file has been run in the Windows system directory.

Additionally, it creates the file RUNDLL32.EXE in the following directories:

  • in the folder dllcache of the Windows system directory.
  • in the folder LastGood\system32 of the Windows directory.

 

KillRDLL.A creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %name with which it has been run% = %sysdir%\%name with which it has been run%.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, KillRDLL.A ensures that it is run whenever Windows is started.

KillRDLL.A modifies the following entry from the Windows Registry, in order to hide itself and make its detection more difficult:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HideFileExt = 00, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HideFileExt = 01, 00, 00, 00
    By modifying this entry, it hides the extension of the files.

Means of transmission 

KillRDLL.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

KillRDLL.A is 97,280 bytes in size and is compressed with UPX.

Last updated:  25/06/2009 

Virus News

3/10/09.-More than 10 Million Worldwide Were Actively Exposed to Identity Theft in 2008

3/5/09.-Cyber-crooks manipulate Internet searches to sell fake antivirus products

3/2/09.-VideoPlay adware infections grew 400% in February through malicious use of Web 2.0 pages

[+ News]
© Panda Security 2009 | Privacy policy | Legal notice
Web Map | Contact Panda Security | Panda Security for Business