Home / malware

PDF

Virus:Win32/Viking.G

First posted on 23 August 2012.
Source: Microsoft

Aliases :

Virus:Win32/Viking.G is also known as Win32/Viking.Gen (AhnLab), W32/Virut.AI!Generic (Command), W32/Viking.BK (Norman), Win32.HLLW.Viking.4 (Dr.Web), Win32/Viking.N virus (ESET), Worm.Win32.Viking (Ikarus), Worm.Win32.Viking.n (Kaspersky), W32/HLLP.Philis.ap (McAfee), W32/Looked-B (Sophos), W32.Looked.P (Symantec), PE_LOOKED.AE (Trend Micro).

Explanation :

Virus:Win32/Viking.G is a virus that can infect other executable files. It may also spread to other computers in the network by copying itself to network shares. It may terminate other security-related software and download files from certain websites.



Installation

Virus:Win32/Viking.G drops and runs its virus code as the file "%windir%\logo1_.exe". This executable, in turn, copies itself as "%windir%\rundl132.exe", and modifies the system registry so that this copy runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "load"
With data: "%windir%\rundl132.exe"

Virus:Win32/Viking.G drops its DLL component as either "vdll.dll" or "dll1.dll". It creates the following registry entry as part of its installation process:

In subkey: HKLM\SOFTWARE\Soft\DownloadWWW\
Sets value: "auto"
With data: "1"

Spreads via...

File infection

Virus:Win32/Viking.G searches for executable files to infect from drives C: to Z:. It infects the file by prepending its code to the host program. It checks if the target file is already infected by comparing the infection marker 0x4479426B 'DyBk' located at the file header.

It avoids infecting files in the following folders:

• Common Files
• Complus Applications
• Documents And Settings
• Installshield Installation Information
• Internet Explorer
• Messenger
• Microsoft Frontpage
• Microsoft Office
• Movie Maker
• MSN Gaming Zone
• Netmeeting
• Outlook Express
• Program Files
• Recycled
• System
• System Volume Information
• System32
• Windows
• Windows Media Player
• Windows NT
• Windowsupdate
• Winnt

It also drops a non-malicious hidden file named "_desktop.ini" into each folder it has searched, which it uses as an infection marker. This file contains the current system date.

Network shares

Virus:Win32/Viking.G may send ICMP packets with the data "Hello, World" to IP addresses within the same subnet of the infected computer, or within the subnet starting with 192.168. If a computer answers back, Virus:Win32/Viking.G attempts to connect to it with the user name "administrator" and a blank password.

It attempts to enumerate shared folders to find executable files to infect. It also attempts to infect the computer by dropping a copy of itself in shared folders.



Payload

Downloads other files

The dropped DLL component is detected as Virus:Win32/Viking.gen!dll and is injected into either the "iexplore.exe" or "explorer.exe" process. Its purpose is to download other files from certain websites.

In the wild, Virus:Win32/Viking.gen!dll has been observed to download files from "wowchian.com" and "97725.com".

Terminate processes

Virus:Win32/Viking.G finds and closes windows related to "RavMon.exe". It also terminates one or more the following processes, most of which are related to security:

• eghost.exe
• iparmor.exe
• kavpfw.exe
• mailmon.exe
• mcshield.exe
• ravmond.exe
• regsvc.exe

Virus:Win32/Viking.G also terminates the service "Kingsoft AntiVirus Service".

Additional information

Virus:Win32/Viking.G creates a semaphore named "SemaphoreMe" to check its presence in system memory.



Analysis by Rex Plantado

Last update 23 August 2012

 

TOP