Home / malwarePDF  

Virus:Win32/Viking.LO


First posted on 19 October 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Viking.LO is also known as Win32/Viking.CM (AhnLab), Worm.Win32.Viking.mi (Authentium (Command)), Worm/Delf.3.AL (AVG), Win32/Looked.BA (CA), Win32.HLLW.Gavir.32 (Dr.Web), Win32/Viking.AW (ESET), Worm.Win32.Viking.mi (Kaspersky), W32/HLLP.Phillis.ba (McAfee), W32/Viking.Q (Norman), W32/Viking.AR (Panda), Mal/Lookdll-A (Sophos), Win32.Looked.P (Sunbelt Software), W32.Looked.AO (Symantec), PE_LOOKED.GB (Trend Micro).

Explanation :

Virus:Win32/Viking.LO is a file infecting virus that attempts to download arbitrary files from a remote server.
Top

Virus:Win32/Viking.LO is a file infecting virus that attempts to download arbitrary files from a remote server. InstallationWhen run, Virus:Win32/Viking.LO creates the following files:

  • %windir%\rundl132.exe - virus body, detected as Virus:Win32/Viking.LO
  • %windir%\logo1_.exe - virus body, detected as Virus:Win32/Viking.LO
  • %windir%\dll.dll - downloader component (see Payload section below for additional detail)
  • <current folder>\<infected file name>.exe - host file
  • %TEMP%\$$a<random letter>.bat - batch script that loads the host file and deletes the infected file
  • Virus:Win32/Viking.LO modifies the registry to run the virus at each Windows start. In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\WindowsSets value: "load"
    With data: "%windir%\rundl132.exe" The virus creates additional registry data. In subkey: HKLM\SOFTWARE\Soft\DownloadWWWSets value: "auto"
    With data: "1" Spreads via€¦ File infectionVirus:Win32/Viking.LO attempts to infect files with .EXE file extension in all fixed drives while excluding files within folders have following names:
  • Outlook Express
  • Windows Media Player
  • Internet Explorer
  • Program Files
  • Windows NT
  • WindowsUpdate
  • ComPlus Applications
  • NetMeeting
  • Common Files
  • Messenger
  • Microsoft Office
  • InstallShield Installation Information
  • MSN
  • Microsoft Frontpage
  • Movie Maker
  • Recycled
  • MSN Gaming Zone
  • system
  • system32
  • windows
  • winnt
  • Documents and Settings
  • System Volume Information
  • When an infected file is run, the virus drops a copy of the host file in the current directory using its original filename but with an additional '.exe' extension. For example, if an infected 'calc.exe' was executed, it would drop a copy of the host to 'calc.exe.exe'. It then deletes the infected file, renames the host to its original filename (with only one '.exe' extension) and executes the host. The virus accomplishes these tasks using the batch file created in the Temporary files folder. Virus:Win32/Viking.LO drops a file named "_desktop.ini" with file attributes 'hidden' and 'system' in folders where files were infected as a marker. Payload Terminates certain processes and servicesVirus:Win32/Viking.LO attempts to close the application window with the following properties: Title: RavMon.exe
    Class: RavMonClass The virus also attempts to terminate the following processes:
  • EGHOST.EXE
  • MAILMON.EXE
  • KAVPFW.EXE
  • IPARMOR.EXE
  • Ravmond.exe
  • regsvc.exe
  • RavMon.exe
  • mcshield.exe
  • Virus:Win32/Viking.LO attempts to stop the service "Kingsoft AntiVirus Services". In addition, the virus attempts to hide alert dialogs from Kaspersky Antivirus. Downloads arbitrary filesVirus:Win32/Viking.LO drops its downloading component as "%windir%\dll.dll" which may be detected as Virus:Win32/Viking.IT. The virus injects the code into the Windows process "Explorer.exe" to load it. The downloading component tries to download additional files from a remote server. One observed server is "www2.ii55.net". At the time of this writing, the server was unavailable.

    Analysis by Shawn Wang

    Last update 19 October 2010

     

    TOP