Home / malwarePDF  

Virus:Win32/Viking.gen!B


First posted on 15 December 2009.
Source: SecurityHome

Aliases :

Virus:Win32/Viking.gen!B is also known as Worm.Win32.Fujack.cq (Kaspersky), W32/DLoader.MEON (Norman), W32/Fujacks-BC (Sophos), Win32/Fujacks (ESET), Win32/Emerleox.GI (CA), W32/Fujacks.aw (McAfee).

Explanation :

Virus:Win32/Viking.gen!B is a generic detection of files that are infected with the Win32/Viking virus. The virus spreads by infecting executable files, and by copying itself to network shares and removable drives. It also kills security related software and downloads additional malware.
Top

Virus:Win32/Viking.gen!B is a generic detection of files that are infected with the Win32/Viking virus. The virus spreads by infecting executable files, and by copying itself to network shares and removable drives. It also kills security related software and downloads additional malware.

Installation
When a file infected by Virus:Win32/Viking.gen!B is executed, it drops and launches the virus' code. One observed example copied its code to <system folder>\drivers\txp1atform.exe. Virus:Win32/Viking.gen!B then drops and launches the original copy of the infected host file in the current folder. Virus:Win32/Viking.gen!B also drops and launches a batch file which it uses to overwrite itself with the original uninfected host file.Spreads via€¦ File infection Virus:Win32/Viking.gen!B searches for executable files (with file extensions .EXE, .SCR, .PIF, .COM) to infect on drives C:\ to Z:\. It infects targeted files by appending its code to that of the host. It also drops a non-malicious file named "Desktop_1.ini" into each folder it has searched which it uses as an infection marker. Virus:Win32/Viking.gen!B also searches for files with file extensions .htm, .html, .asp, .php, .jsp and .aspx and inserts an invisible IFrame into these files which refers to a malicious site. In the wild, we observed this method being used to direct users to www.xinxinbaidu.com.cn. Network shares Virus:Win32/Viking.gen!B enumerates network shares and tries to brute force the password by using a simple dictionary attack. It uses the following list of passwords for this purpose. 000000 1111 11111111 1234 12345 123456 1234567 12345678 123456789 1313 2112 5150 5201314 54321 654321 6969 7777 admin basebal fish golf harley letmein mustang password qq520 qwerty shadow €¦. If it is successful, it copies itself to the network share using a variable filename. In the wild we observed one variant of Virus:Win32/Viking.gen!B copying itself with the file name "Cool_GameSetup.exe" in this way. Removable drives Virus:Win32/Viking.gen!B copies itself and drops a file named autorun.inf to the root folder of each accessible drive. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically. Both files are hidden and we observed one variant of Virus:Win32/Viking.gen!B copying itself with the file name "íííííí.exe". Virus:Win32/Viking.gen!B periodically modifies the following registry entries to run itself at system start. It also ensures that hidden files can't be seen and are executed when the drive is accessed by Windows Explorer. Adds value: "Explorer" With data: "<copied virus body file>" e.g. "<system folder>\drivers\txp1atform.exe" To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "CheckedValue" With data: 0 To key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL Sets value: "NoDriveTypeAutoRun" With data: 0x80 To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Payload
Modifies system security Virus:Win32/Viking.gen!B drops and loads a device driver component which it uses to disable security software's real-time protection. In the wild we observed one variant dropping this driver to "C:\z1.tmp". This file was detected as VirTool:WinNT/Rootkitdrv.GO. Contacts remote host Virus:Win32/Viking.gen!B periodically launches a new instance of Internet Explorer in the background in order to access certain web pages. In the wild we observed Virus:Win32/Viking.gen!B contacting the following domains in this manner:

  • www.xinxinbaidu.com.cn
  • www.daohang08.com
  • Terminates security services/Modifies security settings Virus:Win32/Viking.gen!B periodically terminates and deletes the following services and also deletes the following registry entries. These services and registry entries may be associated with various security applications. AVP FireSvc KPfwSvc McAfeeFramework McShield McTaskManager MskService NPFMntor RsCCenter RsCCenter RsRavMon RsRavMon SNDSrvc SPBBCSvc Schedule Symantec Core LC ccEvtMgr ccProxy kavsvc navapsvc sharedaccess wscsvc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVP HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE Virus:Win32/Viking.gen!B periodically terminates the following processes, which may be related to security applications: safeboxTray.exe 360Safe.exe 360safebox.exe 360tray.exe Downloads and executes arbitrary files Virus:Win32/Viking.gen!B gets URLs from a remote server and downloads additional malware from the specified URL. In the wild we observed this malware contacting the googlesyndication.doctorout.com domain for this purpose, although at the time of publishing the provided URL was no longer available.

    Analysis by Shawn Wang

    Last update 15 December 2009

     

    TOP