Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:W32/Viking.BD.Upk
Date discovered:26/07/2007
Type:File infector
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:34.158 Bytes
IVDF version:6.39.00.189 - Thursday, July 26, 2007

 General Methods of propagation:
   • Infects files
   • Local network


Aliases:
   •  Symantec: W32.Looked.P
   •  Mcafee: W32/HLLP.Philis.bd
   •  Kaspersky: Worm.Win32.Viking.bd
   •  Sophos: W32/Looked-AM
   •  VirusBuster: Win32.HLLP.Viking.Gen.2
   •  Eset: Win32/Viking.BN
   •  Bitdefender: Win32.Worm.Viking.NCJ

Similar detection:
   •  W32/Viking.BD


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops a malicious file
   • Infects files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\rundl132.exe
   • %WINDIR%\Logo1_.exe



It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\$$a5.tmp

%all directories%\_desktop.ini This is a non malicious text file with the following content:
   • %current date%

%TEMPDIR%\$$a5.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\Dll.dl Further investigation pointed out that this file is malware, too. Detected as: TR/ATRAPS.Gen

%executed file% Furthermore it gets executed after it was fully created. This is the original version of the file before infection.



It tries to download some files:

– The location is the following:
   • www.hffw35133.comhfyxw/**********


– The location is the following:
   • www.hffw35133.comhfyxw/**********


– The location is the following:
   • www.hffw35133.comhfyxw/**********


– The location is the following:
   • www.hffw35133.comhfyxw/**********


– The location is the following:
   • 222.77.178.218/xz/**********

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "load"="%WINDIR%\rundl132.exe"



The following registry key is added:

– [HKLM\Software\Soft\DownloadWWW\]
   • "auto"="1"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


Stealth:
No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 34.000 Bytes


The following files are infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%
   • %network shares%

 Process termination  The following service is disabled:
   • Kingsoft AntiVirus Service

 File details Programming language:
The malware program was written in Delphi.

Die Beschreibung wurde erstellt von Daniel Constantin am Donnerstag, 11. Februar 2010
Die Beschreibung wurde geändert von Andrei Ivanes am Donnerstag, 11. Februar 2010

zurück . . . .