Home / malwarePDF  

Win32.Worm.Viking.BU


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Viking.BU is also known as Viking, Looked.

Explanation :

Win32.Worm.Viking.BU is a worm that infects executable files in both local drives and network shares.

When executed, the worm copies itself in the following locations:

%windows%uninstall
undl132.exe
%windows%Logo1_.exe

It also drops the following files:
%windows%RichDll.dll - detected as Win32.Worm.Viking.GL
%root-drive%\_desktop.ini - which contains the date of system infection in the yyyy/mm/dd format

The worm creates the following registry entry as an infection marker:
HKLMSOFTWARESoftDownloadWWW"auto" = "1"

and also the following autorun value to ensure it is executed at every system start:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"load" = "%windows%uninstall
undl132.exe"

The worm is a file infector that searches for executable files (with ".exe" extension) in all local drives and prepends its code to the target files, except files found in folders with the following names:
Internet ExplorerComPlus ApplicationsNetMeetingCommon FilesMessengerMovie MakerMSN Gaming Zonesystemsystem32winntwindowsRecycledDocuments and SettingsSystem Volume Information_desktop.iniWindows NTProgram FilesWindowsUpdateWindows Media PlayerOutlook ExpressMicrosoft OfficeInstallShield Installation InformationMSNMicrosoft Frontpage
In most folders, it will try to infect files containing the following strings:
setupinstallEXCELWINWORDmsnmsgrNATEONeditplusWinrarThunderThunderShellflashgetTTPlayerrealplayfoxmailUedit32ACDSee4ACDSee5ACDSee6GameClientAgzNewPatcherMHAutoPatchSilkroadBNUpdatejxonlineFSOnlineAutoUpdateRagnaroklauncherautoupdateDatangLineageIIArchlordwooolpatchupdateNSStarterlineage
It also tries to accesses network shared folders using administrator or guest user name and a blank password and searches for executable files to infect.

The worm also tries to terminate processes which contain the following names:
RavMonRavMonClassEGHOSTMAILMONKAVPFWIPARMORRavmondregsvcmcshield
It tries to stop the following service:
Kingsoft AntiVirus Service

It also tries to close windows related to the following processes:
RavMon.exeavp.exe
The worm injects its ".dll" component (RichDll.dll) into either iexplorer.exe or explorer.exe process.

Last update 21 November 2011

 

TOP