Virus:Worm/Viking.E.2
Date discovered:14/07/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:30.105 Bytes
MD5 checksum:f20C659f39f265927872ce524ba227fd
VDF version:6.35.00.97
IVDF version:6.35.00.121 - Wednesday, July 5, 2006

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Looked.P
   •  TrendMicro: PE_LOOKED.AE-O
   •  VirusBuster: Worm.Viking.R
   •  Bitdefender: Win32.Worm.Viking.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\rundl132.exe



A section is added to a file.
– To: %drive%\%randomly chosen directory%\*.exe With the following contents:
   • %malware dll% - Worm/Viking.N

– To: %network shares%\%randomly chosen directory%\*.exe With the following contents:
   • %malware dll% - Worm/Viking.N




The following files are created:

%drive%\%randomly chosen directory%\_desktop.ini This is a non malicious text file with the following content:
   • %current date%

%network shares%\%randomly chosen directory%\_desktop.ini This is a non malicious text file with the following content:
   • %current date%

%malware execution directory%\vDll.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Viking.N




It tries to download some files:

– The location is the following:
   • http://www.wowchian.com/sysdl/**********
It is saved on the local hard drive under: C:\1.txt

– The location is the following:
   • http://www.wowchian.com/sysdl/**********
It is saved on the local hard drive under: %WINDIR%\0Sy.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Lineage.EM.5


– The location is the following:
   • http://www.wowchian.com/sysdl/**********
It is saved on the local hard drive under: %WINDIR%\1Sy.exe Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
   • http://www.wowchian.com/sysdl/**********
It is saved on the local hard drive under: %WINDIR%\2Sy.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Lmir.12.A.3


– The location is the following:
   • http://www.wowchian.com/sysdl/**********
It is saved on the local hard drive under: %WINDIR%\3Sy.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Lineage.VD

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Soft\DownloadWWW]
   • "auto"="1"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • "load"=""
   New value:
   • "load"="%WINDIR%\rundl132.exe"

 Injection –  It injects the following file into a process: %malware execution directory%\vDll.dll

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Friday, July 14, 2006
Description updated by Monica Ghitun on Thursday, August 3, 2006

Back . . . .