Trojan

Trojan.KillDisk removal guide

Malware Removal

The Trojan.KillDisk is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Trojan.KillDisk virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • Possible date expiration check, exits too soon after checking local time
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • A process created a hidden window
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • A ping command was executed with the -n argument possibly to delay analysis
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities for basic functionality
  • Likely installs a bootkit via raw harddisk modifications
  • Attempted to write directly to a physical drive

How to determine Trojan.KillDisk?



File Info:

name: CCC8E45C4ED57B504AB6.mlw
path: /opt/CAPEv2/storage/binaries/a26d83e214d7ffb96f202b215aab810ddf4cbf3c625eae84e9acec957866f38c
crc32: 7D177948
md5: ccc8e45c4ed57b504ab695f08d401b9e
sha1: 25fc306678abf472d9b769571af920ba1b1da114
sha256: a26d83e214d7ffb96f202b215aab810ddf4cbf3c625eae84e9acec957866f38c
sha512: c6e8de5a1947b35c632619436ac8c4eb498e68525ee69b56bb46e4d5872e206fe1d860e97af526708f71df585f0bf388f5d1c57cb6c02cbee5bb07ade12d2b1e
ssdeep: 3072:AVZ/VGS7rN+WH9vd00fNmctvDJYsv6DoutQ:AV28o4pBxvMoS
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T12EA302AFB2A8AEAEF0B0C079298F2D55F665D75AB3D48177DCE0237D5841A08731910F
sha3_384: 2186130eba93377ba0853fbb6e8c3f68d7849daca97d16607229363cee4295bc2373c4e95d672fcd610e3771b0a15166
ep_bytes: 60be151041008dbeebfffeff5789e58d
timestamp: 2019-07-30 08:52:50


Version Info:

FileVersion: 0.0.0.1
ProductVersion: 0.0.0.1
ProductName: gyw
OriginalFilename: gyw.exe
InternalName: gyw
FileDescription: gyw
CompanyName: gyw
LegalTrademarks: gyw
LegalCopyright: gyw
PrivateBuild: gyw
SpecialBuild: gyw
Comments: gyw
Translation: 0x0000 0x04e4

Trojan.KillDisk also known as:

LionicTrojan.Win32.DiskWriter.4!c
tehtrisGeneric.Malware
CynetMalicious (score: 100)
FireEyeGeneric.mg.ccc8e45c4ed57b50
McAfeeArtemis!CCC8E45C4ED5
MalwarebytesTrojan.KillDisk
ZillyaTrojan.Generic.Win32.1652028
K7AntiVirusTrojan ( 0051918e1 )
BitDefenderGen:Variant.Barys.133095
K7GWTrojan ( 0051918e1 )
Cybereasonmalicious.c4ed57
CyrenW32/ABRisk.DJTP-7308
SymantecML.Attribute.HighConfidence
Elasticmalicious (moderate confidence)
ESET-NOD32Win32/KillDisk.NCU
APEXMalicious
Paloaltogeneric.ml
KasperskyTrojan.Win32.DiskWriter.hoh
AlibabaTrojan:Win32/DiskWriter.97b71684
MicroWorld-eScanGen:Variant.Barys.133095
AvastFileRepMalware [Inf]
TencentMalware.Win32.Gencirc.10ce4679
Ad-AwareGen:Variant.Barys.133095
EmsisoftGen:Variant.Barys.133095 (B)
VIPREGen:Variant.Barys.133095
TrendMicroTROJ_GEN.R002C0WF822
McAfee-GW-EditionBehavesLike.Win32.Generic.cc
SophosMal/Generic-S
SentinelOneStatic AI – Malicious PE
GDataGen:Variant.Barys.133095
AviraHEUR/AGEN.1215025
MAXmalware (ai score=83)
ArcabitTrojan.Barys.D207E7
ZoneAlarmTrojan.Win32.DiskWriter.hoh
MicrosoftTrojan:Win32/Tiggre!rfn
AhnLab-V3Malware/Win32.Generic.C4374301
Acronissuspicious
ALYacGen:Variant.Barys.133095
CylanceUnsafe
TrendMicro-HouseCallTROJ_GEN.R002C0WF822
RisingTrojan.KillDisk!8.C4C (CLOUD)
IkarusTrojan.Win32.KillDisk
MaxSecureTrojan.Malware.7164915.susgen
FortinetW32/KillDisk.NCU!tr.ransom
AVGFileRepMalware [Inf]
CrowdStrikewin/malicious_confidence_90% (W)

How to remove Trojan.KillDisk?

Trojan.KillDisk removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment