AV Killer is currently the king of viruses in China. In the first half of this year, 3 Chinese anti-virus companies published this virus as their top-level virus alert.
Most virus writers have the same dream: to disable anti-virus software so the virus can run itself on a computer without any limitation. Therefore, many virus authors try many different methods to disable anti-virus software. AV Killer is this kind of virus, and uses the IFEO method.
What is IFEO?
IFEO stands for "image file execution options". This technology can redirect execution of a file. For example, if you want to run AA.exe, the computer can be made to run BB.exe instead of AA.exe. This is done because IFEO has an item in the Windows registry as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AA.exe that tells it to run BB.exe instead.
We have a sample of AV Killer, so we have reversed this sample, which let us see how it modifies our computer configuration.
I just love what it has in that registry location you listed on my system next to CurrentBuild, it gave me a bit of a laugh:
