Virus:W32/Viking.ND
Date discovered:29/07/2009
Type:File infector
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~24.000 Bytes
IVDF version:7.01.05.43 - Wednesday, July 29, 2009

 General Methods of propagation:
   • Infects files
   • Local network


Aliases:
   •  Symantec: W32.Fujacks.CB
   •  Mcafee: W32/Fujacks.ay
   •  Kaspersky: Virus.Win32.Kate.a
   •  Sophos: W32/Newt-A
   •  Eset: Win32/Agent.DP
   •  Bitdefender: Win32.Viking.AL


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\6to4.dll
   • %SYSDIR%\dllcache\6to4.dll
   • %SYSDIR%\dllcache\systembox.bak



The following files are created:

%TEMPDIR%\TempDel.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%TEMPDIR%\tem81.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Viking.NA

%SYSDIR%\drivers\WmiSvc.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Rootkit.Gen

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\6to4]
   • "Type"=dword:00000020
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\6to4.dll
   • "DisplayName"="6to4"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
   • "ServiceDll"=%SYSDIR%\6to4.dll

– [HKLM\SYSTEM\CurrentControlSet\Services\6to4\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum]
   • "0"="Root\\LEGACY_6TO4\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\WmiSvc]
   • "Type"=dword:00000001
     "Start"=dword:00000002
     "ErrorControl"=dword:00000001
     "ImagePath"=%SYSDIR%\drivers\WmiSvc.sys
     "DisplayName"="WmiSvc"

– [HKLM\SYSTEM\CurrentControlSet\Services\WmiSvc\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\WmiSvc\Enum]
   • "0"="Root\\LEGACY_WMISVC\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
The virus adds a new PE section.


Stealth:
 No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 24.000 Bytes


The following files are infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • www.dy2004.com

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX V2.00-V2.90

Description inserted by Daniel Constantin on Wednesday, February 10, 2010
Description updated by Daniel Constantin on Wednesday, February 10, 2010

Back . . . .