Home / malware Virus:Win32/Viking.LO
First posted on 19 October 2010.
Source: SecurityHomeAliases :
Virus:Win32/Viking.LO is also known as Win32/Viking.CM (AhnLab), Worm.Win32.Viking.mi (Authentium (Command)), Worm/Delf.3.AL (AVG), Win32/Looked.BA (CA), Win32.HLLW.Gavir.32 (Dr.Web), Win32/Viking.AW (ESET), Worm.Win32.Viking.mi (Kaspersky), W32/HLLP.Phillis.ba (McAfee), W32/Viking.Q (Norman), W32/Viking.AR (Panda), Mal/Lookdll-A (Sophos), Win32.Looked.P (Sunbelt Software), W32.Looked.AO (Symantec), PE_LOOKED.GB (Trend Micro).
Explanation :
Virus:Win32/Viking.LO is a file infecting virus that attempts to download arbitrary files from a remote server.
Top
Virus:Win32/Viking.LO is a file infecting virus that attempts to download arbitrary files from a remote server. InstallationWhen run, Virus:Win32/Viking.LO creates the following files:%windir%\rundl132.exe - virus body, detected as Virus:Win32/Viking.LO %windir%\logo1_.exe - virus body, detected as Virus:Win32/Viking.LO %windir%\dll.dll - downloader component (see Payload section below for additional detail) <current folder>\<infected file name>.exe - host file %TEMP%\$$a<random letter>.bat - batch script that loads the host file and deletes the infected file Virus:Win32/Viking.LO modifies the registry to run the virus at each Windows start. In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\WindowsSets value: "load"
With data: "%windir%\rundl132.exe" The virus creates additional registry data. In subkey: HKLM\SOFTWARE\Soft\DownloadWWWSets value: "auto"
With data: "1" Spreads via€¦ File infectionVirus:Win32/Viking.LO attempts to infect files with .EXE file extension in all fixed drives while excluding files within folders have following names:Outlook Express Windows Media Player Internet Explorer Program Files Windows NT WindowsUpdate ComPlus Applications NetMeeting Common Files Messenger Microsoft Office InstallShield Installation Information MSN Microsoft Frontpage Movie Maker Recycled MSN Gaming Zone system system32 windows winnt Documents and Settings System Volume Information When an infected file is run, the virus drops a copy of the host file in the current directory using its original filename but with an additional '.exe' extension. For example, if an infected 'calc.exe' was executed, it would drop a copy of the host to 'calc.exe.exe'. It then deletes the infected file, renames the host to its original filename (with only one '.exe' extension) and executes the host. The virus accomplishes these tasks using the batch file created in the Temporary files folder. Virus:Win32/Viking.LO drops a file named "_desktop.ini" with file attributes 'hidden' and 'system' in folders where files were infected as a marker. Payload Terminates certain processes and servicesVirus:Win32/Viking.LO attempts to close the application window with the following properties: Title: RavMon.exe
Class: RavMonClass The virus also attempts to terminate the following processes:EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE Ravmond.exe regsvc.exe RavMon.exe mcshield.exe Virus:Win32/Viking.LO attempts to stop the service "Kingsoft AntiVirus Services". In addition, the virus attempts to hide alert dialogs from Kaspersky Antivirus. Downloads arbitrary filesVirus:Win32/Viking.LO drops its downloading component as "%windir%\dll.dll" which may be detected as Virus:Win32/Viking.IT. The virus injects the code into the Windows process "Explorer.exe" to load it. The downloading component tries to download additional files from a remote server. One observed server is "www2.ii55.net". At the time of this writing, the server was unavailable.
Analysis by Shawn WangLast update 19 October 2010
