Mon, 06/08/2009 - 14:13 — Igor Donchenko
The Russian anti-virus vendor Doctor Web warns users of a new Trojan that deletes all files and directories on a compromised computer. First cases of machines getting infected by Trojan.KillFiles.904 have been registered in the first days of June 2009.
In a compromised system Trojan.KillFiles.904 searches for local and removable drives in the reversed alphabetic order (from Z to A). It removes all files and folders on available disks. If a file can’t be deleted (e.g. it is being used) the Trojan will assign it the “Hidden” attribute. The Trojan will delete all files and folders except Windows system files and directories so a user can lose all his data while his system is running the way it usually does.
The destructive feature makes the Trojan a unique piece of malware among malicious programs of the present. While most of them aim to extort money from a victim, KillFiles.904 won’t demand any investments into the business of cyber-criminals nor it will try to steal anything – its sole purpose is a complete removal of information stored in an infected system.
Perhaps, the Trojan is a successor of Win32.HLLW.Kati (aka Penetrator) that damages Microsoft Word and Excel documents as well as graphic and multimedia files. However, this species of malware is far more dangerous.
In the face of the danger of getting infected by Trojan.KillFiles.904 Doctor Web recommends all users to install and run only licensed anti-virus software with latest virus definitions.